About Social Engineering: A Case Study and How it Relates to Spear Phishing
Guest Post Written by: M. Zuraikat, Certified eCommerce Fraud Professional
What is social engineering?
Social engineering is a fraud technique used to deceive individuals or businesses into unknowingly providing confidential or personal information. Social engineering occurs by leading customers into divulging confidential information through the phone or most commonly through sending mass emails, known as phishing scams. Social engineering often targets individuals for their name, addresses, payment details, social security number, internal business policies, and other private details. Knowing internal business policies can be used to adversely affect businesses by giving the fraudster the opportunity to know how merchants mitigate fraud activities, and penetrate their system.
Case Study in Social Engineering:
A fraudster attempted to use a stolen credit card to purchase an airline ticket through the company’s website. He called a customer service employee to check if he can get away with using the ticket. The following scenario took place:
Fraudster: Hello. How are you doing? I am a regular customer with your airline, and I honestly love to travel with your company.
Agent: Thank you, Sir. It is our pleasure to serve you well. How may I help you?
Fraudster: I am traveling to France with my friend in two days. I purchased the ticket two months ago through your website using my credit card. According to your published policy, I have to bring my physical credit card when I travel. However, I will only have a copy of the card that was used to purchase the ticket online. Will that be an issue when I travel?
Agent: Unfortunately, only physical credit cards are accepted.
Fraudster: Why is that? I have traveled with other airlines without presenting the original card.
Agent: My apologies. We do not usually do this, but your ticket has been flagged by our system because you have attempted to use more than four credit cards to issue your ticket.
Fraudster: No problem, to avoid any confusion, I will refund the previous ticket and issue a new one with my new credit card.
The fraudster was able to find out the company’s internal policy, and thus knew to purchase a new ticket using one credit card in order to avoid being flagged by the system. From this scenario, we can see that the employee unknowingly divulged internal company details, which eventually allowed the fraudster to succeed with his purchase.
Social Engineering may be related to Spear Phishing attacks. Consider the following:
- Small details count: Fraudster can use even the most mundane details that employees may perceive as harmless. So, personal information or information about your organization, such as another employee’s email address or contact number, should never be provided. Such information can be used in a specific type of scam called Spear Phishing. In these cases, the only address you can provide is a customer service center’s contact information that is published on the company’s website.
- Think before you click: Fraudsters will use unsolicited emails which contain suspicious links or URLs, or use high-brand names and familiar email addresses to establish a level of trust for end users. In cases where the end user is a company employee, the fraudster might use a fake colleague’s email address which appears to be genuine. Therefore, check for suspicious emails, links or URLs before you click.
- Do not underestimate your fraudster: Fraudsters are educated and extremely patient; they are willing to send a hundred mass emails for one email to succeed. The emails they send will appear genuine and contain accurate information. However, as mentioned previously, there will be suspicious signs indicating unordinary behavior. Be skeptical; even if it appears to be a legitimate email, it can still be a trick.
- Look for the signs: Phishing emails and websites contain misspellings, @ sign, and call for an action such as “click here”.
- Stay updated: End users must be aware of fraud techniques and recent fraud attacks that could potentially be used to breach their systems. As for website administrators, they should regularly monitor their websites to ensure that no confidential information has been mistakenly published. Companies need to keep an eye out for misused logos or stolen identities.