One of the most prevalent cybersecurity threats comes not from machines, but from individuals. This is the realm of ‘social engineering’ and ‘impersonation fraud’ which use tactics that exploit human behaviour rather than technical vulnerabilities. Appealing to our good nature and gaining our trust is how social engineering works, and by exploiting emotions like fear and curiosity, the criminal can gain access to systems or to personal sensitive data. The effectiveness of social engineering lies in its simplicity – humans are often the weakest link in the security chain. Even well-trained individuals can make mistakes.
A common method is ‘phishing’ which is often used across different platforms including email, SMS (smishing) and voice (vishing), social media and gaming. We have nearly all, at some point, been ‘phished,’ whether it was that call from someone claiming to be from our bank or that email with a too-good-to-miss crypto investment opportunity.
Impersonation fraud is a sub-set of social engineering and occurs when a fraudster pretends to be someone they are not. For example, a message could be claiming to be from a family member in trouble and needs access to funds. Or a voice call could be from someone at your bank with a number that is spoofed (changed by the fraudster to appear genuine) seeking account details, or from an employee’s IT department asking for credentials to access the systems. Once armed with the relevant information, the fraudster will go on to commit further crimes such as removing funds from a bank account or installing malware.
A global issue
What is important to note is that fraud knows no borders. Social engineering (and impersonation fraud) is a highly organised, growing, international threat. INTERPOL’s Financial Fraud assessment study looks at the trends across different regions and points to several types of social engineering as being the most prevalent – including investment fraud, advance payment fraud, romance fraud and business email compromise. In the USA, the Federal Trade Commission reported that last year consumers lost $2.7 billion to imposter scams (impersonation fraud). In the first six months of 2023, social engineering fraud drained AUD 286 million from Australians, in addition to the AUD 500 million lost in 2022.
What is being done to combat the issue?
Mobile operators are investing significant resources into fraud detection systems, filtering and blocking mechanisms, and in SMS and voice firewalls. They are working across sectors such as banking and finance, as well as with regulators, to develop and implement solutions to protect customers. In many sub-Saharan African countries where mobile money services are highly popular, enhancing security is essential to protecting mobile consumers. Kenya’s M-Pesa and similar services in other countries have integrated biometric authentication, improved encryption and enhanced fraud detection systems to protect users from impersonation and other fraudulent activity.
The GSMA works very closely with its members providing resources and forums giving operators the ability to share insights and intelligence, including mitigation measures. The GSMA Fraud And Security Group (FASG) allows members to share and identify emerging fraud schemes and development of defences. The Telecommunication Information Sharing and Analysis Centre (T-ISAC) is the central hub of information sharing for the telecoms industry for security-related matters in near real time.
The GSMA Open Gateway initiative is creating an open set of Application Programmable Interfaces (APIs) to help all industry sectors and public sector organisations to combat the fraud by enhancing user authentication and improving security. A number of APIs streamline processes by making online transactions more secure and provides a sustainable fraud prevention solution for application developers. The Number Verification and SIM Swap APIs allow developer teams and partners to create new intelligent layers of customer authentication, verification and security within mobile phone networks to help financial institutions and online retailers.
Good practices
Beyond technical solutions, we also know that an important defence is through awareness and training. Individuals need to be informed about common tactics used by criminals, how to recognise them, and how to report suspicious activity. Examples of good practice by industry and/or individuals include:
- Making it common practice to raise awareness and educate customers on protecting personal information such as informing them what to do in situations where personal information might be compromised.
- Routinely training, testing and monitoring employees to ensure that they don’t unwittingly release customers’ personal information.
- Updating policies and systems regularly to reflect greater safeguarding of personal data.
- Always verifying the identity of the person requesting sensitive information, especially if the request is unexpected or urgent.
- Being sceptical of unsolicited requests. If someone reaches out unexpectedly and asks for confidential information, bank details or access to systems, be cautious and double-check the legitimacy of the request.
Collaborative efforts between governments, law enforcement agencies, regulators, the private sector and consumers all have a part to play in effectively combatting social engineering and impersonation fraud.