Beware of fraudsters—social engineering attacks on businesses are on the rise

Over the years, con artists have been called many names — hucksters, swindlers, grifters, flimflammers. You’ve read about them in literature, seen them in movies, and may have fallen under the spell of one in real life. They all apply psychological tricks to win your confidence before they pounce.

Today’s fraudsters are using digital devices and the internet for the big score with social engineering schemes targeting individuals and businesses. Now Artificial Intelligence (AI) technologies are enabling a new frontier of social engineering attacks. So brace yourself. AI-based attacks are expected to accelerate and threaten the cybersecurity of all businesses regardless of their size, according to a World Economic Forum report.

In this post, we’ll define what is meant by social engineering, provide examples of different types of social engineering, and give tips to protect your business and avoid phone scams.

What is social engineering?

Social engineering sounds like it could be a noble profession for someone wanting to lead a social service agency. But don’t be fooled by grand words, which is actually good advice when it comes to dealing with social engineers—aka digital crooks. The cybersecurity world’s social engineering definition is the act of manipulating human emotions to persuade victims to let down their guard and release sensitive information to get access to their computers and steal data, money or both. Social engineers typically use phone calls, emails and text messages to contact victims, but can also resort to old-school methods like face-to-face meetings or letters sent through the postal mail.

In its early days, social engineering attempts were fairly easy to spot. Tell-tale signs included poor grammar, bad spelling, incorrect punctuation, urgent requests to take action right away, emails from public email domains instead of corporate accounts, and fantastic offers that were too good to be true. But some of today’s social engineers are using AI to create written, audio and video messages that are surprisingly believable and may even look and sound like people you know.

Types of social engineering

Social engineers have many tricks of the trade to deceive victims and get them to click on a malicious link, download a corrupt file or share private information. Here are a few of the communication methods at their disposal, along with attack examples:

• Mass emails or texts (phishing): Phishing campaigns distribute a large number of similar emails or texts to increase the odds of catching many off guard. The hooks vary. Some create fear—a threat of foreclosure because of a missed payment. Some demand speed—a notice that your company’s credit card will be locked if you don’t update your password NOW. Others spark curiosity—a video attachment of a beloved celebrity caught misbehaving.
• Targeted emails or texts (spear phishing or whaling): Think of these as personalized attacks with spear phishing going after employees at all levels and whaling focusing on high-level executives. The fraudsters take the time to prepare messages with details that are unique to specific enterprises or their employees. For example, a fraudster can learn about your recent promotion from a press release and send you an email that appears to be from your director of human resources asking you to download a new managers’ course that turns out to be malware.
• Phone calls (voice phishing or vishing): Be suspicious of all callers, be they humans or robots, who ask for personal information or direct you to a website so they can help you solve a problem you didn’t know you had. Say a friendly banker calls because your loan application is missing some info. When you tell them you didn’t apply for a loan, they immediately insist you must freeze your credit report and offer to help if you answer a few questions. Hang up immediately. Another form of vishing is when AI voice-changers create a voice mask to make a caller sound like a family member who is in trouble and desperately needs money.
• Fake websites (website or domain spoofing): Criminals create websites with the same branding and logos of well-known sites in an effort to get people to log into the mimicked site with their credentials and share credit card information. Be wary of clicking ads that take you directly to a fake URL, which may at first glance look like the real deal. Don’t fall for a site with a number or letter with an accent mark that replaces a regular letter in its URL.
• Social media: While social media offers wonderful virtual meeting spaces to share information with friends and professional colleagues, it can also share viruses. Don’t assume a PDF or video attachment is safe to open just because it appears in a friend’s post—that friend might actually be a fraudster.

Keep in mind that this is not a comprehensive list of all the various types of social engineering. Phishers are always crafting new lures to reel in their next catch.

Tips to protect your business

Just like a chain is only as strong as its weakest link, the strength of your company’s cybersecurity depends on every employee. It only takes one employee to click on a malicious link that could bump your entire company offline until you pay a ransom.

• Encourage staff to be suspicious of not only every request for sensitive information, but every link in a text or email from an unknown sender. Being a skeptic is a good thing when it comes to fighting cyber criminals.
• Educate your employees about the real social engineering meaning and fraud tactics. Especially pretexting—the social engineering technique that fabricates a story (pretext) to win your trust and manipulate you into doing something harmful, like hand over private information.
• Invest in ongoing training to refresh your team’s fraud-detecting skills and to learn about new threats.
• Enable two-factor or multi-factor authentication. Yes, it can get a bit annoying to constantly verify that it truly is you logging into your account. But it’s nowhere near as inconvenient as getting hacked.
• Foster open communications by providing a forum where team members feel safe reporting fraud attempts they’ve encountered and sharing how they reacted.
• Read our blog post to learn about ways to prevent a ransomware attack on your business.

While AI technology is used by fraudsters to come up with more ways to trick and rob, the good news is that AI technology is also empowering cybersecurity businesses to detect suspicious behavior and issue warnings. With a little help from our friends, we can make technology work for, not against us.