Fraud: It’s Social

SAWSocialEngineering

Mitigating fraud is especially critical to business success today. Regardless of what industry you’re in, the threat of fraud impacting you or your customers is ever-present. The impact may be financial, loss of trust, damage to reputation, or all of these. And the perpetrators of fraud are growing both in number and in sophistication, which leads us to the topic of social engineering.

One definition provided by Techtarget.com lists social engineering as “an attack…that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” While awareness of social engineering is growing, the actual theft of money and confidential information obtained through social engineering is growing faster. According to the FBI, thieves stole nearly $750 million in (email phishing) scams from more than 7,000 companies in the U.S. between 2013 and 2015.

Social engineering uses the good will of employees and customers, who often believe they are being helpful, to acquire confidential information. How does this evolve into a crime? Social engineering data is taken from a broad and meaningful set of sources by deceiving users to disclose information and from publically available sources such as Facebook or professional aggregation sites such as spokeo.com or, by purchasing stolen data that is readily for sale online. This information is analyzed in conjunction with other data to enable serious crimes that may be perpetrated later on. Once a criminal has enough information, they no longer need to steal money by brute force, but simply log on as an employee, posting real credentials and security information, and steal money in what appears to be a legitimate transaction. So what should a business do to prevent fraud that may go undetected for some time?

Companies are now employing best practices that extend beyond the fraud software used in today’s business operations —they include the integration of deep technology controls and dynamic cybersecurity practices into more traditional risk management techniques. The success of this effort depends on the ongoing, up-to-date expertise of a company’s staff with respect to rapidly changing security threats. Staff training and scenario planning need to be a constant effort with reminders to people throughout the organization to be on the lookout for the unusual request or event.

Even with strong training and due diligence, a fraud event may well occur. When it does, the business should have a three-part response:

  1. Halt the event
  2. Assess the damage
  3. Address how to recover.

Finally, complacency is not acceptable. The nature of fraud will continue to evolve, creating new threats that need to be combatted with a proactive, disciplined approach by both businesses and the customers they serve.