Just as sharks are drawn to blood or bees are drawn to pollen, fraudsters are drawn to money-making opportunities. As account takeover (ATO) attacks become more difficult, fraudsters increasingly shift to social engineering fraud scams - and coerce legitimate customers into doing their dirty work in the process. 

What is Social Engineering Fraud?

Social engineering fraud is a broad term that refers to scams that exploit a victim’s trust to trick them into providing confidential information that the fraudster uses to commit fraud or convince the victim to give them money under false pretenses. Fraudsters pull off social engineering frauds by studying their targets’ patterns and social media profiles, such as their jobs, where they shop, or other personal details. They can also go door to door pretending to be a legitimate actor like a census taker and collect sensitive information. Another approach uses phishing messages that trick victims into revealing their personal details like bank accounts, credit card numbers, or passwords.

Armed with these insights, fraudsters reach out to victims using a variety of tactics (including email, text message, or on social media) and tailor a convincing narrative that their victim is more inclined to believe. In other words, they will engineer a fraud based on a victim’s social profile.

How Does Social Engineering Fraud Work?

Fraudsters can use social engineering to commit a variety of fraud scams. For example, they could commit authorized push payment (APP) fraud by convincing their victim that they have an outstanding balance on a utility that they need to pay immediately. Once they receive the fake balance, they disappear with the victim’s money. They can also use business email compromise (BEC) to convince a company employee to facilitate CEO or invoice fraud. Or they can also lure victims into romance scams

Fraudsters often pull off convincing scams by studying their targets’ lifestyles. And they’re persistent. If a fraudster’s initial attempt to trick a victim doesn’t work, they’ll tweak it over and over again until they find a strategy that pays off.

What’s Fueling Social Engineering Fraud?

There are two key factors driving fraudsters’ move to social engineering. The first is access to money. The second is access to customers.

On the first point, fraudsters know to follow the money. When the pandemic began unfolding, governments around the world issued emergency loans to help struggling businesses stay afloat. Many fraudsters focused their efforts on these government relief efforts. With these programs now leveling off, bad actors are shifting back to social engineering fraud.

As for the second point, there’s an old saying, if you can’t beat them, join them. In the case of fraudsters, the thinking is more akin to, if you can’t breach them, manipulate them. It’s gotten much harder for fraudsters to commit ATO attacks using compromised credentials. Hence, fraudsters realize it’s both easier and more lucrative to coerce consumers to facilitate transactions on their behalf. If they are successful, some banks may be reluctant to quantify it as a fraudulent event since the customer approved the transaction.

Why Social Engineering Fraud is Hard to Measure

The trouble with social engineering fraud is that it’s very difficult to measure. The digital banking landscape enables fraudsters to fail fast – and move on undeterred. This means fraudsters can easily scale their scams, launching 1,000 social engineering attempts before they even have breakfast. Even if 80% of attacks are prevented, it means they were successful 200 times, making a profit with minimal effort. And there’s plenty of time to launch more attacks.

Meanwhile, most failed social engineering attempts go unreported. Fraudsters might reach customers via email or text message, and a large share will dismiss their communications and forget them. There’s little incentive for a customer to report the encounter since nothing came of it. However, each failed social engineering effort that goes unreported means banks miss an opportunity to gauge the broader problem accurately.

Successful social engineering fraud can also be difficult to measure. Many customers feel embarrassed for believing a fraudster’s trick and losing money. As such, they are unwilling to admit they were deceived – let alone report the incident to their bank or to law enforcement. Some victims will be skeptical if they will get a refund or if reporting the incident will hurt their standing with their bank.

5 Things Banks Can Do About Social Engineering Fraud

As fraudsters develop social engineering tactics, banks must help their customers before, during, and after they are impacted by social engineering fraud. Here’s a few things banks can do.

1. Banks Should Work Together to Stop Social Engineering Fraud

The effectiveness of social engineering and its related crimes (APP fraud, invoice fraud, romance scams, etc.) require banks to pool their collective intelligence and agree on best practices for the industry, including who pays for these losses. Banks and financial institutions (FIs) should update their refund policies to offer customers some layer of protection if they fall victim to a social engineering scam. Listening to other banks and sharing experiences can help FIs determine the most appropriate ways to assist customers who fall prey to scams.

2. Update Customer Messaging Regarding Fraud

As fraudsters update their tactics, so too must banks update their customer-facing communications. If a bank’s messaging on fraud remains static, customers will treat it like wallpaper and just ignore it. Study the social engineering problem carefully and craft new messaging to keep your customers vigilant and prepared. Refresh the messaging regularly so that your customers aren’t tempted to overlook it.

3. Prioritize Prevention

The social engineering fraud threat requires banks to think hard about how they communicate with customers both before and after an event. Before an attack, prevention should be the priority. By understanding their customers’ typical patterns, banks can intervene if they suspect their customers are at risk of getting defrauded. This could be as simple as sending a text message or a pop-up banner asking if they are certain they wish to proceed with a transaction. Revamped messaging should also encourage customers to report suspected fraud attempts – even if they don’t fall for them.

4. Think Like a Fraudster

Fraudsters think like banks by anticipating the safety measures that make ATO attacks more difficult. Banks should think like fraudsters in response. That’s why it’s so important to be able to speak with customers who have been defrauded and empower them to open up about their experiences. This knowledge and insight allow banks to understand how scams were engineered and enables organizations to develop new protocols to protect customers from new attacks.

5. Treat Defrauded Customers Gently

After a social engineering fraud event occurs, a different conversation – and tone is required. Bank customers will likely feel angry, vulnerable, and embarrassed if they lose money to a social engineering scam. Their trust is damaged. Bank staff should be trained to speak with customers with empathy and respect, help them understand they are not alone, and gently ask them about how the fraudster approached them.

Banks need a better picture of the scope of the social engineering problem. Listening to customers who have been victimized and understanding how fraudsters pulled off their deception is a critical step to stopping more fraud and allowing customers to rebuild trust. 

How do banks know how to choose the right fraud prevention solution? Download our eBook 6 Crucial Capabilities to Protect the Online Banking Journey to learn how to protect online onboarding processes from bad actors.