Social engineering is a form of fraud that relies on exploiting vulnerabilities in human decision-making. Rather than hacking or otherwise directly stealing, scammers who use social engineering manipulate individuals into transferring money or divulging company secrets. Between October 2013 and May 2018, these scams led to a reported 40,000 domestic U.S. victims and a $2.9 billion total loss in the U.S.
Email phishing is one of the most common forms of social engineering and many organizations have trained employees to effectively spot phishing emails. However, social engineering scams have come a long way from deposed kings promising riches. Today’s social engineering scams are often subtle, targeted, and complex. As these scams evolve, organizations must train employees to be cautious and skeptical.
The most devious and effective form of social engineering is fraud targeted at a specific company. These scammers will research an organization through publicly available information and use their research to target employees authorized to transfer money. The fraudsters then provide credible details. This degree of planning gives the scammers’ ruse an air of legitimacy to disarm employees’ suspicions.
While the methodology of these social engineering scams is always shifting, scammers have been known to impersonate high-ranking company officials, vendors, and bank officials to perpetrate their schemes. Using a combination of phone calls and emails, they push employees to act carelessly or disregard protocols by pressuring them with confidentiality demands, urgent requests, and threats to job security.
These scams have a high rate of success because they manipulate emotions and desires. People’s fear, greed, trust, and helpfulness are the most effective tools scammers have.
To reduce the risk of falling victim to social engineering, monetary transfer duties should be split between employees to ensure no single employee is being manipulated. Companies should also articulate their policies regarding confidential requests since scammers often claim to need confidentiality as a way of keeping their targets from raising suspicions. Being aware of the latest cyber schemes, training employees to recognize questionable emails, and adhering to strong controls can help to mitigate or prevent losses due to social engineering scams.