Few fraudsters can bypass the advanced cybersecurity systems, and most of them choose the oldest trick in the book: they attack people instead of systems. Naivety, curiosity, and trustfulness are qualities inherent to more people than we can imagine. So why hack computer systems if you can just pull a con game?
A largest Russian bank has called social engineering one of the most popular ways of fraud in 2018. By exploiting human weaknesses, criminals get access to confidential personal and commercial information. Only 20% of fraud cases in the last year were not based on social engineering. This means that 80% cybercrimes were the result of psychological manipulation and cheating.
Evil “good” buyer
The most common scheme involves websites with free ads. Someone calls the person who has placed an ad and says that he is ready to make the purchase and transfer money to the banking card. Then he requests not only the card number but also other card credentials. Naïve victims carelessly disclose them and lose their money. Having received all the necessary data, the intruder can make operations on banking cards in the name of its owner.
Antifraud saves the day
Intellectual fraud monitoring is one of the systems used by banks to protect their clients and their assets. Such a system analyzes over 100 M transactions per day and detects the most suspicious ones. If the system doubts the legitimacy of the operation, it blocks it. The number of system errors is insignificant compared to the amount that have been saved thanks to fraud monitoring. Imagine that from the start of the year, the Sberbank Cybersecurity Center has saved 32 B RUB from cybercriminals! Has it protected your money? As likely as not.
Just don’t be naïve
Information security is the thing you need to keep maintaining both in business and in personal life. You cannot provide it once and for all because not only the threats change, but we change as well, and the ways how we interact with the surrounding environment changes too.
It has been long since known that the more reliable the cybersecurity software becomes (security protocols, cryptography, encryption, retinal authentication, locks, and safes), the more relaxed the user becomes. As a result, while the cybersecurity systems operate flawlessly, we become the weakest link in the perfect security system.
Do you know how fraudsters act?
- They can call you.
They can call more than once, from different numbers, introducing themselves as employees of familiar companies, including even the one where you work. A very popular example: someone calls you on a weekend and tells that the administrators are upgrading operating systems on all office computers. The voice is pleasant, businesslike, and polite. Ivan Petrovich, Head of the IT Department (whom you know personally!), asked you to get the password from your computer. Say the password and you will not have to come personally, and on Monday morning everything will be set up and updated on your PC. Would you spell your password to solve the problem as soon as possible? Unfortunately, you would be not the only one who did so. But technical support and admins would never ask for passwords. This confidential information is never shared, especially over the phone, and there are no exceptions (always remember that it is critically important not to repeat the passwords; passwords to the office laptop, accounts, and email must be different).
Fraudsters know how to collect data about the company and its employees without drawing attention. Therefore, you will be given both the correct address and the name of the real people. This is a well-known psychological technique used by quacks and fortune-tellers: if a half of the "prediction" is credible, the other half will be disclosed by the client himself.
Secretaries should be very careful with such calls. They are the ones, from whom the criminals try to find out who is called, who is sick and absent from the office, how are the workplaces located, etc.
- They can write an email.
They can write from an address that is indistinguishable from the address of your company, your partners, your bank, or the medical facility in which you are observed. Be vigilant—that's the only advice we can give. Don't open it, don’t save suspicious attachments, don't click on strange links from the message. Links can lead to web pages, the design of which is copied, say, from a real payment system or questionnaire, or online store (this year before Black Friday more than 400 shops faking Aliexpress appeared in the network). When you enter your data, you just just hand them to criminals.
- They can come personally.
Despite security cameras, restricted access, access cards, locks and fences, people can enter your premises and come to your office. Let's tell you a secret: there are many ways to do it. They can schedule an fake meeting or inspection, "come for an interview", deliver something or provide cleaning services, act like a mistaken or lost guest, or introduce themselves as a relative of the director. How does it threaten you? Theft, loss of both laptops and the contents of the “waste bin” (mostly e-mail prints), passwords on paper under the keyboards. They can also throw in infected physical media, if there is no specific purpose other than to harm the company as a whole.
The only means against social engineering is to train employees to be vigilant. The company should have rules and training on the issues of both personal and corporate security.