Sign up for Fraud Alerts
Stay on top of credit and debit card fraud by opting into our SMS messages for fraud alerts.LOGIN TO ENROLL
One of the biggest risks to our collective financial security is ourselves. It’s far easier to trick a human than it is a computer, and there’s no anti-virus software to protect you other than knowledge.
Social engineering is the term used for any manipulation technique with the goal of tricking an individual into giving up that kind of data. This can include passwords, social security numbers, bank records or any other manner of personal or private information.
The phrase originated with Dutch industrialist J.C. Van Marken back in the 1890s. He wrote an essay calling for "social engineers" to assist employers with addressing societal issues the same way ordinary engineers tackled mechanical ones.
Over time, however, the phrase has shifted to be more about how people manipulate society rather than improve it. The efforts of these scammers focus particularly on financial security, with consumers being targeted to share private identification and payment info.
Just like any manipulation tactic, social engineering works by capitalizing on a person's existing fears. Even the most cautious parties can fall victim to the right attack at the right time. Knowing some of the things scammers do to prepare for an attack can help you to better protect against one. It’s important to know that:
A successful social engineering attack relies on two things: a template and a trigger. The template is the framework a scammer uses to manipulate, while the trigger is one or multiple factors making the fraud more likely to occur in the first place. For example, someone might use a phishing scam (template) to send fake IRS emails asking seniors for bank account information during tax season (trigger).
Triggers will always be situational and difficult to predict. Templates, however, can be studied to help protect you and your family from potential financial harm.
Here are the six most commonly faced modern social engineering attack templates:
According to statistics from the FBI, they average more than 240,000 phishing reports equating to losses upwards of $50 million yearly. Phishing is the act of sending fraudulent emails pretending to be from a reputable source, attempting to entice users to share private data.
If you’ve ever received an email from someone claiming to be a member of a royal family in need of wire funds, then someone has attempted to phish you. Traditional phishing messages are most commonly unsophisticated and sent in bulk with the goal being to cast as wide a potential victim net as possible.
There is a subset of phishing — called spear phishing — that is slightly more sophisticated. Like the name implies, spear phishing takes a more targeted approach. Instead of sending messages to large and impersonal groups, spear phishing attacks focus on groups that are related but not close enough to notice the subtle hints that something is off. Examples would be people who work in the same department at a large company or volunteers in a church group.
Whaling is another form of phishing unique enough to have earned its own moniker. Phishing focuses on large groups, spear phishing on focused groups, and whaling on targeted individuals.
These types of social engineering attacks are most likely to be faced by individuals in positions of power. CEOs, CFOs, and anyone with access to highly valuable business or finance data. Whaling emails address these individuals directly through personal information found online and attempt to trick them into doing things like sending payments or giving administrative access.
Smishing is a term used to describe phishing tactics committed solely through text message. It most commonly occurs with scammers acquiring spoofed phone numbers and sending out mass messages featuring malicious links or directions. The same tactics applied to voice calls is referred to as vishing.
Baiting is an easy trap to fall into because the scammers lure users into sharing sensitive information by offering something of value in return. These social engineering attacks can be as simple as a pop-up ad that offers free episodes of your favorite television show that, if clicked, infect your computer with data-scraping malware.
Pretexting involves using existing roles or titles to create believable scenarios for manipulation. This can include someone impersonating a member of law enforcement, a tax official, sweepstake organizer, or someone else who you’d be more likely to trust with personal information.
A famous example of this would be when intelligence consultant Edward Snowden told his colleagues that, as systems administrator, he needed their passwords to perform maintenance and then proceeded to acquire confidential NSA documents using that access.
Business Email Compromise (BEC) is a social engineering tactic that involves someone pretending to be a company executive with financial decision making powers. Impersonation and account compromise are the main types of BEC that companies face. Once a business account is compromised, scammers can trick employees into carrying out financial requests like wire transfers or bank detail updates.
Because phishing is the most commonly faced type of social engineering attack, we wanted to point out a few of the biggest red flags found in phishing emails. Knowing these tells will help you be more aware when you’re being targeted so you can protect yourself accordingly.
Sometimes it's easier to comprehend risks by having real life context to understand them in. Here are a few notorious real-life social engineering incidents from the last decade:
This is one of the most well known social engineering attacks of recent history. In 2016, targeted spear phishing messages led to the leak of a large number of private Democratic Party emails. These were the emails frequently referenced during the 2016 election season. What hackers did was send out a request for users to change their passwords due to unusual activity. Anyone who clicked the link then had their inboxes ransacked and information stolen.
Celebrity television judge Barbara Corcoran from the business-funding show “Shark Tank” nearly fell victim to a phishing scam in early 2020. A scammer spoofed her assistant's email and sent a request to her accountant with a straightforward request for a real estate renewal payment upwards of $40,000. The only reason she didn't fall victim was because a follow-up email was sent to the proper address asking for clarification. Close call!
In 2019, attackers contacted a finance executive at Toyota Boshoku Corporation, persuading them to change the recipient's bank account information in an upcoming wire transfer. This BEC incident ended up losing the company over 35 million dollars.
Social engineering can take many forms, but by knowing the most common tricks, templates, and triggers, you can protect yourself and your loved one's from financial fraud.
The easiest way to stay safe is by paying attention and staying vigilant–by getting to the bottom of this page, you’ve already made a great start.
This article is for informational purposes only. It is not intended to serve as legal, financial, investment or tax advice or indicate that a specific DCU product or service is right for you. For specific advice about your unique circumstances, you may wish to consult a financial professional.