Did you know there are 1000s of cons perpetrated online every day? And whilst ransomware attacks and data security breaches tend to get the majority of headlines, the most common vulnerability for business and consumers alike, is us as humans.
Social engineering fraud takes advantage of human nature and makes people ripe for psychological manipulation.
It’s social engineering fraud that tricks you into giving over personal details on the phone. It’s social engineering fraud that exploits your employees and encourages them to hand out your business credentials. It’s social engineering fraud that sees your grandma fleeced of her life savings.
Social engineering fraud is the confidence trickster’s number one staple. It exploits our sense of urgency, vulnerability and lack of attention to detail.
While buggy code and software vulnerabilities can be patched, social engineering fraud is harder to prevent. Even the most savvy can be tricked. It was social engineering fraud that enabled the hacking of Joe Podesta’s (Hillary Clinton’s campaign chair) Gmail account, despite the fact Podesta had once authored a report on cybersecurity for President Obama.
So, if even the savviest of us can be tricked – how do we avoid falling foul of phishing scams and ‘Nigerian’ bankers?
One word. History…
Social engineering scams generally follow a particular pattern of behaviour. Whether it’s the con man trying to sell you on a pyramid scheme or the scammer trying to gain access to your computer, social engineering fraud has a long history and you can learn from it.
Let’s start with a few of the greats.
The great Eiffel Tower swindle
Hungarian-born US-based conman Victor Lustig is known for pulling off one of the biggest cons of all time – selling off the Eiffel Tower. How was he able to pull off this audacious trick? According to the memoir of U.S. Secret Service agent James Johnson, Lustig arrived in Paris in the summer of 1925 and immediately began setting up for his biggest con yet.
First Lustig commissioned credentials to prove his bonafides, including stationary carrying the official French government seal. He then set himself up at a palatial hotel, presenting himself as an official within the government. Lustig then sent out invitations to the leaders in the scrap metal industry inviting them for a meeting. He advised those who accepted his request that the Eiffel Tower was set to be dismantled due to engineering faults. He invited them to bid for the tender. Lustig had judged his marks well and the money flowed in! He sold the Tower not once, but twice!
The Ponzi scheme
Named for its original perpetrator, Charles Ponzi, a Ponzi scheme relies on ‘robbing Peter to pay Paul’. Ponzi attracted investors to his get rich schemes with the promise of fast money. Initially, he made good on his promise. Early investors in a scheme were paid dividends from the money invested by later investors. Encouraged by the quick wins they would then invest more, oftentimes encouraging friends and family to also invest. The quick wins eventually dried up, with Ponzi making off with the cash and the last investors left holding the bag. Modern-day conman, Bernie Madoff, took things to the next level in 2009 when he pleaded guilty to conducting a large-scale Ponzi scheme in which investors were swindled out of a reported $65 billion dollars.
The bank job
The year was 1978 and Stanley Mark Rifkin was a computer consultant at a California bank. The bank operated a wire transfer room which allowed money to be transferred from one bank to another by way of an authorisation code which changed daily.
Rifkin used his position as a consultant to make his way into the wire transfer room under the pretext of checking a fault. Once inside, he took the opportunity to memorise the daily transfer code which the staff had recorded and pinned to the wall. After memorising the code, Rifkin left the room and then called the bank, posing as an employee of the bank’s international division. He requested a transfer of 10 million dollars to an offshore account. In doing so, Rifkin pulled off the (then) largest bank heist in US history.
Social engineering today
Today’s social engineering fraudsters have adapted the techniques of years gone by for a modern world. Business Email Compromise (BEC) scams are amongst their favourite methods to swindle the hard-earned cash from SMEs. According to data from Norton, 400 businesses on average are hit by BEC scams daily.
In a BEC scam, the scammer pretends to be the CEO or MD of a company and requests an urgent transfer of funds. Oftentimes the email will come with an innocuous subject line and will be sent from a mimicked address that may have just one letter as a discrepancy. At first glance, this email may seem legit. But upon further investigation it’s true origins will be found. In 2016, Austrian aerospace company FACC, fell foul of a BEC scam to the tune of $47 million. The company promptly fired its CFO who had authorised the transaction.
Of course, perhaps the most common of all social engineering scams is the phishing scam. Hackers mimic a company’s branding to create websites and send convincing emails that appear to be from a legitimate source. These email scams will usually trick the user into clicking on a link which will then give the hacker/attacker access to their computer by installing malware on the sly.
Staying ahead of the game
Keeping your software and security programs up to date is the first step to protect your SMB from malware and social engineering attacks. Educating your staff is also vital to reduce the risk of employees being manipulated. A cybersecurity plan should be in place to reduce the risk for businesses and organizations and instruct what to do should they believe they have been attacked. Cyber Insurance is also essential to ensure your business has adequate financial protection and can get back on its feet rapidly should you experience the worst-case scenario.