Social engineering scams are on the rise. Here we outline some of the most prevalent scam trends and what to watch out for.
An estimated £2.7 billion worth of fraud passed under the noses of UK targets during 2022. Thankfully, over half of those attempts were prevented by various financial institutions. But this still resulted in countless people finding themselves £1.3 billion out of pocket, collectively speaking.
In many instances, it is the victim’s own response that results in financial loss. Actions taken whilst in a state of heightened emotion, where feelings such as impatience, fear or intrigue can override rational instincts. Often dubbed “social engineering”, these types of attacks rely on an acute understanding of psychology coupled with some high-level cyber and tech expertise. They represent an all-too-real and ever-growing threat to us all.
Honey Trap Scams
Let’s start with one of the oldest tricks in the book: building a personal relationship with someone and pouncing once their trust has been gained. In a honey trap scam, sometimes known as a romance scam, a fraudster will set up a bogus profile on a social media platform or dating app and pose as a potential love interest. They go on to invest time in developing what appears to be genuine intimacy or friendship. But once they feel the groundwork is set, they will go on to take the victim for as much as they can. Sometimes they present themselves as being in an unfortunate situation and needing emergency funds. Other times they might share tips for purchases or investments, which of course will never come through.
Phishing
This is probably one of the best-known types of scams around. Victims receive emails or social media messages that appear bona fide but they are not. They might, for example, purport to be from a well-recognised institution, often containing plausible branding and originating from a seemingly genuine account or address. They could even seem to come from a real-life acquaintance or family member. Recipients are asked to either reply (sharing sensitive information), download attachments (containing malware) or follow bad web links.
Smishing
The mobile phone-based equivalent of phishing involves an SMS arriving from what many assume to be a legitimate source and encouraging the target to unwittingly make themselves vulnerable by following the instructions contained in the message. Phishing and smishing scams take many guises and are often fine-tuned to take advantage of a victim’s known interests, as well as issues that are topical and affecting many people at the time of sending. They are extremely prevalent, and people unfortunately succumb to them every day.
Vishing
Here’s another twist on the theme: rather than a message in text format, the victim’s phone will ring with the caller then introducing themselves as being from a well-known service provider, likely one they use. Their story will probably involve a suspicious transaction, a new offer or some other cause for requesting personal account details.
One example of vishing calls doing the rounds was an incoming call with a pre-recorded message claiming to be from HMRC and informing the recipient of a problem with their account. The emotional jolt of believing they might be the subject of investigations or penalties is enough to push many toward “pressing ‘1’ to speak to an agent” and that’s never going to end well. Sophisticated versions known as “hybrid vishing” employ additional social engineering tricks to strengthen their impact.
Deepfakes
Currently on the rise, these scams make use of advanced computer software to modify or fabricate the content of videos and audio recordings, spreading disinformation and generating strong reactions. Deep voice technology, speech synthesisation, face swapping and expression manipulation can all be seamlessly employed to shockingly realistic effect, with huge potential for influencing people, extorting money, changing consumer behaviour and blackmailing, amongst other purposes. Some of the recently detected deepfake confidence trickery includes criminals securing positions in organisations through face-swapped employment interviews, celebrities seemingly endorsing dodgy products, and world leaders being seen to give fake military orders. This one scam looks set to become an ever more serious threat.
Watering-hold attacks
Hackers are always on the lookout for opportunities to infiltrate popular websites and apps. They will identify security weaknesses and use these weaknesses to deliver malware to the devices of site visitors and app users. This may be via a surreptitious infection or even by encouraging users to download material from their trusted sites. The malware could take many forms but will often allow attackers to gain remote access to files, cameras and microphones to observe behaviour, either with espionage in mind or to glean insights that will enable further scamming. For example, some proceed to impersonate regular email correspondents and request that a bill be paid to a different account.
CEO/CFO fraud or business email compromise
One of the highest-netting scams around, this form of phishing involves the impersonation of senior management, apparently contacting their staff with legitimate financial queries. They may request money transfers to be made or tax or payroll documents to be sent. The information is then harvested and used to extract funds. The authoritative tone of voice and urgency of the request, sometimes coupled with calls for a matter to be dealt with confidentially, can cause employees to act without obtaining verification.
Remain vigilant in the face of potential scams
As soon as an unsolicited contact asks for a response involving personal disclosure, even as innocent as confirming the make of your handset, alarm bells should start ringing.
First and foremost, keep calm. Give yourself a moment. Try to stay rooted in rational response to mitigate the emotional pressure that social engineering scams can place on you. Be especially cautious of anything demanding urgent action.
Always remember who instigated an exchange and when in doubt, do not hesitate to terminate a conversation on one platform to pick it up again via another method e.g. contact details listed on the company’s website or alternative means of reaching people you know.
Check spelling, grammar and the tone of content you receive. Scrutinise email and web addresses for incorrect endings or non-standard characters. Keep an eye out for bad-quality brand images too. If it doesn’t feel right, it probably isn’t.
Seek verification and fact-check wherever you can. Try to avoid taking new information at face value and ask friends and family for advice when unsure.
Use different, secure passwords for each account, with strong malware protection and firewalls on your devices. Also, consider using encryption.
Never divulge answers to security questions or whole passcodes to incoming callers.
Report all suspicious activity to help authorities shut down risks to other users.
If you lead a team, ensure they are provided robust training in good security practices to recognise and deal with scams. Ensure good examples are set throughout the company and regularly reinforce the need for caution and accountability. This will also help to ward off cyber threats, data breaches and fraud.