Social Engineering and Its Threat to Business Security and Sustainability

Incidents of social engineering are on the rise, causing billions in losses for businesses and consumers. For any business that transacts digitally, it’s important to recognize the signs of social engineering and adopt a cyber security strategy to disrupt it before it disrupts your business operations and profits. 

Let’s take a deeper look at social engineering and how it’s being used to defraud businesses and individuals today.

What is social engineering and how does it harm businesses?

Social engineering is the act of manipulating people to enable crime.

When it comes to cyber crime, social engineering can involve deception, impersonation, and relationship-building. Once a scammer has gained a person’s trust, they can convince them to divulge sensitive information, provide access privileges, or wire funds to their own untraceable accounts. Like burglars, fraudsters can and still do break in to steal business assets, but what if they could stride through the front door with a gracious smile instead? That’s the aim for social engineers—currying favor with people until they voluntarily “open the door” to fraud.

It’s common to associate human manipulation with vulnerable populations, like elderly dementia patients who might unwittingly donate their wealth to a fake charity, but it’s less common to recognize the risks to tech-savvy professionals. Yet social engineering succeeds with sophisticated staff every day. In fact, incidents of social engineering impacting businesses nearly doubled last year and the median value of the thefts rose to $50,000.

Social engineering exploits our brains’ cognitive wiring, like our subconscious inclination to recognize patterns, respond positively to charisma, help the people we respect, obey authority, or correct urgent problems. Victims aren’t necessarily being careless, they’re just being human. They’re also often excelling at some of the same practices that help businesses succeed, like excellent customer service, intellectual curiosity, and rapid problem solving. Technical security measures won’t protect businesses from psychological attacks preying on high-performing people, but there are strategies that work.

Types of Social Engineering

There are a number of synonyms and subcategories of social engineering. Knowing them enables entrepreneurs to assess cyber crime risks and prevent attacks.

Business Email Compromise (BEC)

Business email compromise (BEC) tops the list of threats in the latest FBI Internet Crimes Report. BEC happens when scammers use email for social engineering. In other words, perpetrators will send a sham email mimicking a legitimate business communication, soliciting sensitive information that they can use to commit fraud. For example, a colleague might receive a convincing email that appears to come from the IT department requesting their password for important software updates. With access to password details, scammers can steal company data for ransom or for use in wire fraud.

Pretexting

Pretexting occurs when scammers fabricate a legitimate premise for divulging credentials or wiring funds. For example, a fraudster could impersonate a vendor and create the pretext that it’s time to pay an invoice by directly depositing funds into their account. 

Phishing

Phishing refers to social engineering tactics perpetrated via email, text, phone, or other apps. Scammers will lure victims into disclosing credentials or wiring funds through convincing pretexts or sham websites. For example, a scammer impersonating a corporate banking rep might call someone in accounting saying they have detected fraud and need the employee to confirm their identity, credentials, security questions, and recent transactions. Once the employee has divulged the information, they can use it to login and wire funds from the company accounts.

Baiting

Social engineers can entice victims into enabling fraud by offering something they want or need. For example, a scammer could send an email offering a supposed list of lucrative new client prospects. When the victim downloads the file, they might unintentionally install a virus. Once a virus has infected a device or server, it can enable theft of banking details, login credentials, client identities, or funds.

Quid Pro Quo (This for That)

Social engineering can involve the exchange of assets or favors. For example, a scammer impersonating a colleague could offer to finish a tedious manual task for their coworker so they can leave early, in exchange for a similar favor in the future. Instead of logging in and finishing the task, the scammer would use the login credentials to commit fraud.

“Pig Butchering” Schemes

This graphic term draws meaning from the practice of gradually fattening livestock before slaughter. In these schemes, social engineering takes place over time, with multiple touchpoints aimed at building close, trusting relationships with victims before asking for funds or accessing their wealth.

In the context of the real estate industry, this could take the form of seller impersonation fraud. Over time, a scammer impersonating a property owner could build a rapport with a realtor and a buyer, ultimately convincing them to pay for a property that wasn’t ever truly for sale.

“Pig butchers” can take elaborate steps like stealing pieces of mail to determine the vendors that serve your business and creating business cards, email signatures, and even uniforms that appear indistinguishable from the real things.

Social Engineering Prevention for Professionals

Fire walls, two-factor authentication, and perimeter security are all important cyber security practices to prevent fraudsters from forcing their way in, but businesses need to take a human-centered approach to counteract social engineering attacks. According to the most recent Data Breach Investigations Report, social engineers exploited “the human element” in 75% of breaches last year.

Businesses can start with regular cyber security training for staff so they understand risks and learn to recognize threats. Cyber security consultants can help reinforce training by testing employee knowledge with fake phishing emails. 

Required security procedures supplement training by enforcing the best practices staff have learned. They also remove the vulnerable human element from business practices. For example, imagine that an accountant receives an urgent email, supposedly from the CEO, instructing them to wire funds as part of an important transaction they’ve been anticipating for months. Even when all the social cues and professional expectations are influencing the accountant to obey the CEO without delay, procedures will dictate that the accountant still checks the identification of the sender and verifies the banking details are legitimate, rather than from an imposter. Software like CertifID facilitate these procedures for businesses so they never need to second guess staff on high-stakes transactions.

Since social engineering is one weapon in a fraudster’s full arsenal, effective business leaders should build a full cyber security toolkit to match, one that covers all four bases: Hardware, Software, Procedure, and People. Get the full Guide to Fraud Prevention to disrupt social engineering targeting your business, or learn more about how CertifID can keep you safe from the dangers of wire fraud and social engineering.

‍