PALO ALTO, CA—(Marketwired – October 29, 2015) – Social engineering is more than a buzz word used by the cyber security industry. The only trendy thing about it is that it defines the latest tool cyber criminals use to facilitate their fraud. Fraudsters can easily access social platforms, databases, and user credentials for the information they need to bend the will of their potential victims and persuade their prey to behave precisely as directed. That’s effective social engineering.
ZapFraud catches the fraudsters because the Fraud Firewall is designed to recognize fraud using social engineering, as well as using known fraud–related story lines and historical patterns. ZapFraud is able to see and examine fraudsters’ latest methods to detect and block fraud, and also report it to the benefit of anyone who uses digital technology, and law enforcement.
With granular data about fraudsters’ behaviors and methods, the Fraud Firewall both blocks and reports fraud, and identifies fraudsters’ popular approaches. From the insights, the Fraud Firewall can assess scenarios fraudsters set up through social engineering and how these could potentially play out or morph into new types of scams. Detection, blocking, and reporting are critical to addressing this crime.
Data from breaches, social media, and published databases provide all the information a fraudster needs to make almost anyone fall for a scam. Social engineering is the technique of convincing the victim to collaborate, using arguments and data tailored to the victim and his or her situation. A typical social engineering attack commonly starts with the fraudster acquiring some data about the intended victim, whether from a data breach, social media, or a previous interaction.
Understanding social engineering
The term “social engineering†simply means the act of psychological manipulation for the purpose of gathering sensitive information to gain system access to commit fraud against businesses, corporations, governments and individuals. Social engineered fraud is growing. It will continue to thrive until we embrace new tools that are capable of countering the social engineering methods that the criminals now heartily embrace.
How does social engineering happen? A fraudster’s four–step plan:
1.
Setting up the trap. A fraudster collects information about his victim–to–be from a security or data breach, social media, or by phishing somebody the victim–to–be knows.
2.
Luring in the victim. The fraudster uses the collected information to select or design a credible story, and contacts the victim–to–be. Using this information, the attacker establishes a relationship or an understanding with the victim–to–be.
3.
Going in for the kill. The fraudster convinces the victim–to–be to do something that benefits the attacker. Install malicious software, send money, visit a dangerous website, send over proprietary information — the options are boundless.
4.
Cashing in. The fraudster cashes in, and the victim hurts. Commonly, the attacker sells the information about the victim to other criminals — as part of a sucker–list. Or, if this victim is just too valuable to share, the fraudster creates new stories and identities, and attacks the victim again.
How do cyber criminals use social engineering to achieve so much success? Well–crafted scenarios!
With so much personal and current information published and readily available, fraudsters design emails that urge potential targets to act. Note some examples to which almost anyone can relate:
1. At 4:30 p.m. on a Friday afternoon, the CEO’s secretary receives a distressed email from the CEO, “My car was broken into and my computer and phone stolen — I had left both on the passenger seat and left the car for just a few minutes. I need to go and buy a replacement computer now, and get access to my email as soon as I can. The guy in IT says that it may be until tonight, though, since the computer needs to get registered on the network first. Would you send me the spreadsheets and power points with the recent financial numbers, please? To my yahoo account — just hit reply to this email. Please hurry I am kind of panicked.†The only problem: the email account this was sent from — while matching the name of the CEO — belongs to a fraudster.
2. Alice’s email account gets hacked, and the hacker changes her email settings so that the reply–to address points to an account different than Alice’s email account (e.g., using a Yahoo email address versus her usual Gmail email address. The first part of the email address is the same and at first glance you may not notice the difference.) This means that all emails Alice sends after that will cause users responding to her emails to send it to the new address. Which, of course, the hacker controls. The scammer can forward the emails to the real Alice from… guess what… email addresses similar to those of the real sender of the email… and that way, insert himself in all communication. This can be automated, siphoning off all email content and without causing any noticeable delay.
3. Alan is directed to take specific action to receive some benefit when he reads his email: We are improving your card security. We will be sending you a new card with a security chip embedded in it in the near future. You will need to use your PIN (Personal Identification Number) with your card when you make purchases. Before we send your new card, you need to change your PIN so we can program your new card with a new PIN. Please go to fakewebaddress.com to enter your new PIN. Simply enter your current card number and expiration date (from the front), the CVV value from the back and your current PIN to confirm you are the cardholder. Then enter your new PIN. Write down your new PIN so that when your new card comes you can use it.
4. Terry is alarmed when she reads an email from the offices of the court: Our records indicate that you failed to appear for municipal court jury duty on October 1, 2015 in Judge Lamont Clement’s court. You can plead guilty, plead no contest or schedule a court date if you wish to contest the matter at www.courtfines.co. If you do not respond within 1 week from the date on this message, a warrant will be issued for your arrest. The fine for failure to appear is $50 per municipal code 1751.3, but if a warrant is issued the fine for failure to respond is an additional $500. Please attend to this matter immediately. Please use the web site www.courtfines.co rather than calling or sending email. Clerks are not permitted to respond to these matters via phone calls or emails.
5. Karl is anxious to respond when he reads an email that promises to reduce his monthly expenses: Our records indicate that your home mortgage was established more than three years ago. We can typically save homeowners 1% on their mortgage rate with no inspection or closing fees. If you have an outstanding mortgage balance of more than $100,000 we can likely save you $200 per month. You can qualify here by answering 10 simple questions in about 10 minutes. We will then email you the documents to complete the transaction.
6. Darla, who loves her iTunes, is immediately concerned that she may have been overcharged when she reads: Dear iTunes User, Your account may have been incorrectly charged $34.99 for Co–Pilot Premium HD. If you believe that you were incorrectly charged for this app, you can log in here and claim a refund. We apologize for any inconvenience.
How can you and your loved ones stay safe online?
All is not lost if you take the necessary steps to educate and protect you, your business and your loved ones from sophisticated cyber criminals. Here are some ways in which you can prevent yourself from being a victim of this type of fraud attack:
Limit the amount and exposure of your data. While you cannot control whether your data is lost in breaches of other organizations, you can make sure that your website and social network pages do not provide criminals with information that could add to their ability to deceive you.
Be careful with unusual requests, even if they come from people you know. Always double–check by making a phone call to speak with the person making the request before sending money or proprietary information.
Consider the scenarios described and put yourself in each target’s position. Ask yourself how you would respond. Sometimes preparing for an attack and playing it out in your mind can help to remind you when you need it most.
Remember a fraudster’s four steps of approach and think about them when you are ready to respond quickly to an email that stirs your emotions and urges you to act, and act quickly.
If you get an email that appears strange, but you cannot be sure, forward it to Help@ZapFraud.com and you will get an autoreply telling you if an email is a known fraud. You can also sign up for ZapFraud’s service to protect all your email, all the time.
Throughout National Cyber Security Awareness Month (NCSAM) #CyberAware, ZapFraud is reporting on fraud and fraudsters and what we can do now to stop them. Watch for ZapFraud news and posts and learn more about fraud and cyber security by following ZapFraud on Twitter and like us on Facebook.
About ZapFraud
ZapFraud is the leading provider of proactive email and online fraud protection services for consumers, as well as threat–detection services for enterprises. ZapFraud’s patent–pending Fraud Firewallâ„¢ protection service helps provide peace of mind for consumers as they face the increasing and ever–changing threat of email, social media and online phishing scammers who attempt to steal intellectual property, identity, online credentials and, ultimately, their hard–earned money. More information about the company can be found at http://www.zapfraud.com.
Image Available: http://www.marketwire.com/library/MwGo/2015/10/29/11G069670/Images/Small_Zapfraud_fraudfirewall31–57520888627.jpg
Image Available: http://www.marketwire.com/library/MwGo/2015/10/29/11G069670/Images/ncsam_champion_lg–890019261710.jpg