Social Engineering Attacks Increasingly Target Online Banking Customers

Social Engineering Attacks Increasingly Target Online Banking Customers

You receive a call from someone claiming to be a government official or representative of your bank. The caller has personal information about you, possibly even including data about your recent banking transactions. You are told that your account has been compromised or perhaps that some fraudulent transactions have been conducted using the account. It's urgent that you cooperate. If you fail to do so immediately, your funds could be lost or you could be arrested. You wonder how the caller has this personal information about you if he isn't who he claims to be. You decide you'd better cooperate.

Soon you find that you've actively, but unknowingly, participated in defrauding yourself and that you've transferred your own funds to a criminal. The fact that it was actually you who completed the online transaction using your own device means that no bank security alerts were triggered and makes it less likely that the criminal will be caught.

Lockdowns resulting from the pandemic made it necessary for customers of financial institutions to conduct more of their banking business online. Some undoubtedly had more experience with online banking than others. Cybercriminals saw this scenario as an opportunity.

Evolution of the attack

In social engineering attacks, perpetrators prey upon human vulnerabilities. The attacker will often collect some personal data about the target in advance and use that to gain the target's trust. A sense of urgency is often introduced into the mix, thereby causing the victim to make a quick decision without taking the time to verify the identity of the individual with whom they are communicating or fully consider the ramifications of doing what they're being asked to do.

Prior to the onset of the pandemic, criminals were already using a variety of techniques to harvest personal data and online banking credentials of their targets. They were, in many instances, using the information they collected to directly access their victims' bank accounts. But with banks implementing additional cybersecurity measures, the difficulty of directly accessing accounts increased. The logical solution then became to use harvested sensitive information about their targets to gain their trust and have them unwittingly participate in the attack. Those least experienced with using online banking tools would likely be the most vulnerable when contacted by a convincing impostor.

Bank cybersecurity controls often fail to detect these attacks

Banks have implemented multi-factor authentication. One time PIN (OTP) codes are sent to the customer's device at login to verify identity. The bank security controls and fraud detection tools examine the network connection at login to determine whether it matches information in the user's profile. Unfortunately, in this attack variant, it is the customer's trusted device that is logging in using the same network connection that is identified in the user profile. There is no triggering event during login that would cause the bank's security system to send an alert.

Some banking security systems are set to alert when transaction amounts exceed established thresholds. Criminals know this. According to a June 2021 article posted at ThePayers.com/thought-leader-insights/when-authorised-payments-are-not-spotting-coercion-in-online-transactions--1250005, attackers are now using the volume approach, scamming more victims out of less money to avoid being detected. According to the article, 35% of social engineering impersonation scams in 2020 bilked their victims out of more than $1,000, each. In the first half of 2021, that number has dropped to 20% while the number of attacks has continued to increase.

The combination of no anomalous events during login and a reduction in the transaction amounts has resulted in fewer alerts being generated by bank security systems.

What you can do

A proactive approach would be to contact your bank and ask them what procedures they use to alert customers should the need arise. Discuss this scam with your bank representative, find out whether they are aware of it, and ask them what, if anything, they are doing to educate and protect their customers.

If you receive a suspicious phone call, email, or text message advising you of an issue with your account, don't allow yourself to be convinced to take any action without verification. Advise the caller or sender that you'll contact the bank directly and end the conversation there.  Call your bank at a number you know to be valid and explain what occurred.

If you do fall victim to one of these scams, contact the bank immediately. They may be able to stop the transaction or recover the funds if notified in time. Report the incident to local authorities and file a complaint with the Federal Trade Commission at ReportFraud.FTC.gov.

In closing...

Per ThePayers.com report, impersonation scams like these are the most common variant of social engineering attacks perpetrated in the United States.  The report goes on to state that the number of social engineering incidents reported in the first quarter of 2021 is 87% higher than the number reported during the same period in 2020.  The pandemic lockdowns initially created a target rich environment for scammers.  The number of attacks has continued to increase even after lockdowns have been lifted.

Be sure to take advantage of all security controls offered by your banking institution. Don't make it any easier for these criminals to access your accounts. Talk with your bank representative and find out about their procedures and methods for contacting customers should a security-related event occur. And finally, listen to that little voice that lets you know when something just isn't right