Social engineering techniques are growing in quantity and sophistication as cybercriminals capitalise on the fear induced by COVID-19 as well as consumers’ increased online presence to trick victims and defraud them.
The 2021 Verizon Data Breach Investigations Report (DBIR) shows a steady rise of social engineering attempts since 2017, but indicates a surge in phishing, ransomware and web application attacks in particular since the beginning of the pandemic.
During Fintech Fireside Asia’s latest panel discussion, experts from the Rizal Commercial Banking Corporation (RCBC) in the Philippines, information security non-profit ISACA Singapore Chapter, KPMG Malaysia, and global cybersecurity firm OneSpan, discussed the fast-evolving fraud and cybersecurity landscape, delving deep into social engineering trends and the challenges enterprises face in preventing these types of attacks.
Social engineering involves the use of techniques that exploit intrinsically human vulnerabilities and psychological manipulation to tailor phishing campaigns, malicious spam emails and fraudulent scams, and breach cybersecurity.
The psychology behind many of these techniques is to prey on human emotions and behavior, the most exploitable of which are greed, curiosity, fear and the desire to help, to induce users into carrying out harmful actions such as installing malware or disclosing confidential information.
The goal is always the same: extorting or stealing money from victims by convincing them to share their login credentials, for example, or persuading them to click links or attachments containing malicious code such as ransomware.
“[Attackers] exploit the human element to bypass a lot of the controls that we have in place,” said Ben Balthazar, Senior Fraud Consultant at OneSpan.
“Social engineering is designed to take advantage of that psychological aspect of people [when they are in a weak situation] and it is almost always going to be successful to some extent. It doesn’t matter if you are well-educated and well-versed in security, if you are in the wrong spot at that time, then you are still vulnerable.”
Exploiting human vulnerabilities
The reasons why social engineering attacks are so dangerous are because they are the core of nearly every attack and data breach, and because they rely on human error rather than vulnerabilities in software and operating systems, making them much less predictable and harder to identify, Ben said.
And during times of widespread fear and uncertainty like COVID-19, criminals are on the hunt, looking for vulnerabilities wherever they exist.
“The need now [to address social engineering] is even more urgent because of the pandemic,” said Gabby Tomas, Chief Risk Officer and Risk Management Group Head at RCBC.
“The pandemic introduces stress and that is exactly what fraudsters want because people make poor decisions when they are under stress. They do not have time or the inclination to look at every aspect of the decision that they are going to make, and [fraudsters] want to rush you into these decisions, they don’t want you to think about it.”
The risks are even higher at a time when digital banking and open finance are being strongly encouraged by governments and public agencies alike as a way to improve financial inclusion.
Digitalisation and accelerated adoption of technologies like cloud computing and big data analytics are providing new opportunities to tap into the unbanked populations, but are also bringing out the proliferation of cybersecurity risks.
“With digital banking, open APIs and open banking, you have open data as well,” said Izzat Aziz, Director of Technology, Risk and Cybersecurity at KPMG Malaysia.
“Having all those data, when it comes to social engineering, makes [it that much easier for] the perpetrator, the hacker, to create a persona of any individual and exploit those through fraud or unapproved transactions.”
Steven Sim Kok Leong, President of ISACA’s Singapore Chapter, said that the rush to digital transformation and onto the cloud because of COVID-19 is calling for a proper reassessment of cybersecurity risks, noting that to this day, many large companies are still retaining legacy protocols.
The rise of social engineering attacks also comes alongside growing IT and cybersecurity spending from enterprises and corporations, Gabby pointed out, a trend that is forcing fraudsters to turn to “the weakest link in the IT defense chain which are people: users, clients, employees”.
“IT and cybersecurity is a growing area of investment for enterprises and corporations,” Gabby said. “This means that for fraudsters, it’s a more complex task to hack into IT technical defense.”
With stay-at-home orders rippling around the world, millions of workers have been forced to retreat to hastily equipped home offices. The speakers warned that hackers seek to take advantage of this situation to infiltrate corporations and access sensitive data.
“Criminals [are always] very close to the current situation. With working from home [mandates], the employees have the data, the information on their laptops: sensitive information, customer data, all those transactions, and even company’s confidential information,” Izzat said.
“Social engineers are no longer wanting to access your data center, corporate office, but they are eyeing you and individual staff [members]. The moment you are the weakest link, the moment you leave your laptop open, people will [try and] get in.”
Raising awareness and leveraging technology to fight social engineering
One of the most straightforward solutions to combating social engineering attacks is through effective training and education programmes. This is especially important today as a large population of non-tech savvy and underprivileged users are shifting towards digital channels.
“Governments, companies and associations need to come together to work toward bringing education to the most underprivileged populations such as small and medium-sized enterprises (SMEs),” said Steven. “SMEs may not have the expertise, training and knowledge to secure their systems and any impact at the end will cascade into upstream and downstream implications.”
Enterprises can also rely on a number of technological tools to protect themselves and their customers against social engineering attacks. Multi-factor authentication (MFA), for example, remains an effective method that ensures proper authentication and protects users against stolen credentials, Ben said, adding that enhancements such as dynamic linking are providing an extra layer of security.
Dynamic linking involves the generation of an authentication code that’s unique to one particular transaction, specific to the transaction amount and recipient, and that both the amount and recipient are made clear to the payer when authenticating.
User behavior and analytics are other powerful tools that allow enterprises to profile users, understand what their usual behavior looks like, spot when this behavior is abnormal, and detect social engineering attempts.
“We have the technology today to make it more user-friendly and safer for users. We shouldn’t be sending people six-digit codes anymore,” Ben said.
“We’re used to seeing security as being inconvenient, complicated and a burden for the user at an age when user experience comes first and everything else comes after … If you [have the security built-in and have it by design,] and if you have a nice user journey, your customers are going to be happy and they are going to be more secure.
“Because it’s going to be easy for them to figure out if something is wrong because it’s a very simply process. If it’s a very complicated process, then, they are likely to get lost in it and then more likely be taken advantage of.”
The full webinar can be viewed below, if you enjoyed this content do consider subscribing to our YouTube channel.