Tackling Social Engineering Fraud Using Phone-Centric Identity™

As digital interactions permeate all walks of life, it has become easier for a fraudster to gain access to an individual’s sensitive data or accounts by manipulating them as opposed to using technological means such as phishing. Today, fraudsters use far more subtle and effective methods, such as social engineering techniques that target humans through multiple social interactions to carry out the fraud.

‍

Social Engineering Fraud (SEF) involves gaining the trust of an individual within a business to trick an individual into providing confidential information to steal money from their accounts or even misleading and convincing them into sending money directly into the fraudster’s account. Phishing, Vishing, Smishing, Pharming, Business Email Compromise (BEC), and Email Account Compromise (EAC) are commonly used social engineering methods. Here’s a quick look at these methods.

‍

• Phishing: Fraudsters send emails pretending to belong to reputable firms to deceive working individuals into revealing personal information such as passwords and credit card numbers
• Vishing: Phishing techniques that use voice calls or messages purporting to be from reputed companies to mislead individuals into sharing personal and financial information.
• Smishing: Similar to phishing and vishing, fraudsters rely on text messages to retrieve personal information. People tend to trust text messages from credible-looking sources—smishers leverage this technique to retrieve SSNs, credit card numbers, and passwords.
• Pharming: Fraudsters redirect the web traffic of a legitimate website to a fake website for stealing usernames, passwords, financial data, SSNs, or any other personal information.

‍

Business Email Compromise & Email Account Compromise: Fraudsters use this method by sending email messages that appear to be from a genuine institution/person, such as regular vendor partners requesting address changes or a CEO making a purchase request. BEC and EAC complaints are low in number; however, their impact is 64 times worse than ransomware. In 2020, there were 19,369 BEC victims accounting for $1.8 billion in losses in the US alone.

‍

Although anyone could be a victim of social engineering fraud, it is usually directed at high-profile individuals such as executives, consultants, business owners, IT professionals, and government officials. These individuals have access to and the ability to exploit sensitive and confidential information. Fraudsters particularly exploited the COVID-19 theme last year to target businesses and individuals leveraging viruses, vaccines, and COVID relief themes. According to the FBI Internet Crime (IC3) Report, phishing, vishing, smishing, and pharming incidents increased by 110% between 2019 and 2020 in the US.

‍

‍

‍

For companies to stay safe from social engineering fraud, employees need to be made aware of the types of attacks and the appropriate procedures and remedial measures to deal with them. Some of the key areas which should be addressed are: Being wary of unsolicited phone calls, visits, or emails requesting personal information, not divulging details linked to the employer, never revealing personal information or financial information unless the sender is sure of the legitimacy of the caller.

‍

While educating employees is an essential first step in preventing social engineering fraud, organizations must also protect their systems from being compromised by social engineering hacks. Sending an unusually large number of OTPs to the victim’s phone number is one of the ways fraudsters try to gain entry into the system. Additionally, fraudsters may take over customer accounts through phishing/smishing by means of fraudulent links to steal identity, thereafter using the stolen identity to gain access to systems.

‍

However, manipulating humans into sharing sensitive data is the most common way of carrying out social engineering fraud. Therefore, the onus is on businesses to implement authentication systems that can protect their customers and employees from this fraud vector. Companies should upgrade from legacy authentication methods such as OTPs to modern methods such as phone-centric identity™ to ensure that the actor is indeed who they claim to be. Fundamentally, thwarting social engineering fraud requires you to validate that the actions that a user is prompted to perform (such as clicking a security link) are indeed done by the legitimate user. Furthermore, by drawing deep insights from device and phone number-related characteristics and leveraging multiple verified identity sources, companies can measure the trustworthiness of digital interaction to a high degree of confidence.

‍

Prove’s Instant Link™ replaces the traditional SMS OTP with a secure SMS link message. Utilizing a combination of active (SMS delivery with user action required) and passive (checking against phone intelligence signals), it authenticates identities in real time when users click the link, creating a more secure alternative to the SMS OTP

‍

Prove’s ‍Trust Score™ analyses behavioral and Phone-Centric Identity™ signals from authoritative sources at the time of a potential transaction. As a result, it mitigates fraud, such as social engineering hacks and other account takeover schemes.

‍

Prove’s GaitAuth™ behavioral biometrics, based on zero user friction, knowledge, or action, silently authenticates a user based on unique gait motion with high accuracy.

To learn more about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.