Organized and hosted by Social-Engineer.Org, the Social Engineering Capture the Flag (SECTF) takes place each year at DEF CON, a hacking conference in Las Vegas. The SECTF competition was devised to validate the serious risks social engineering creates for companies and individuals, as well as to demonstrate how information can be easily obtained. Participants go through a period of collecting information prior to DEF CON, where they gather potentially damaging data from online sources and telephone elicitation. Participants put the pieces of information (or “flags”) they obtained during the first segment to use during the live call phase of the competition during DEF CON. Reflecting on this year’s SECTF competition, we decided to take a deeper look at the effects of social engineering:

Social engineering attacks, whether targeted toward large enterprises or individuals, are both based off of the same tactics. Fraudsters change their approach, altering the pretext of their scheme to make the victim comfortable and typically unaware of the attack. Pindrop’s Director of Fraud Prevention and Strategy, Shawn Hall, shares that pretexting is a critical technique and allows fraudsters to create a “believable story” in advance of targeting the victim. The pretext as well as building rapport during the call increases the chance the victim will share confidential information or change account information with the fraudster.

In addition to pretexting, fraudsters will combine other tactics to improve their chances of obtaining information. For example, they may impersonate an authority figure, like an executive at a company or a government agent, placing the victim in a position where they feel like they are forced to answer questions. Alternatively, fraudsters may take an opposite approach where they play someone in need of assistance, creating a sense of obligation for the victim to help.

It is estimated that 61 percent of all fraud activity can be traced back to the call center, which can be attributed largely to the use of social engineering, making it clear that fraudsters do not discriminate against companies or individuals. On one hand, companies can be targeted for high impact breaches causing monetary losses as well as a loss of consumer confidence. On an individual level, fraudsters can use DOB, SSN, or an account numbers to gain access to accounts or steal an identity.

Social engineering can take various forms, but all with one goal – obtaining information to assist in other fraudulent activity. According to Shawn Hall, there are five best practices to protect against social engineering:

  1. Awareness – Education of social engineering and the ramifications of falling victim is key.
  2. Training – Training programs should be regularly scheduled with employees to keep awareness high and in focus.
  3. Internal Policies – Strong policies should be in place that only allow employees to discuss very scripted scenarios with callers.
  4. Authentication – Strong authentication procedures to verify callers and customers are who they say they are.
  5. Technology – Invest in technology that can help protect against social engineering. Pindrop is able to detect a fraudster who is attempting to hide in a VoIP gateway, spoof an ANI, or alter their voice.

Learn more.

Leave a Reply

Your email address will not be published. Required fields are marked *