Rooted in manipulation, social engineering is simply a technological twist on an age-old scam. These attacks leverage human trust and error to give threat actors access to private information, currency, and in some cases, even the physical location of their target. But it’s not necessarily a malicious hacker in a dark room, backlit by green lighting as they hover over mechanical keyboards. These attacks exploit human behavior as much as – if not more than – they exploit technologies.
Social engineering tactics are popular for bad actors to use against the financial services industry because they have much to gain – login credentials, personal identifying information (PII), cryptocurrency, and traditional currency. To effectively fight social engineering tactics, it’s important to understand how these tactics have adapted to the evolving financial landscape.
Social Engineering Basics
Social engineering campaigns are common online scams. They don’t require sophisticated technical skills; instead, they rely primarily on human behavior to accomplish their goal. Threat actors also benefit from their target’s reputation. For example, a leading bank that has built a reputation of trust and reliability is ideal for criminals to leverage in a phishing campaign or social media attack – after all, if you’ve had an account with them for years and they send an email that your account needs attention, you are more likely to react to that than to a communication from an unknown organization.
Social engineering uses a variety of tactics which include:
- Phishing emails
- Smishing (phishing via SMS)
- Social media impersonators
- False banking alerts
- Fraudulent login pages prompting you to enter credentials
- Spear phishing
Although social engineering has posed a threat to nearly every industry, the financial services industry is at particularly high risk when it comes to these campaigns because of the vast amounts of personal information and direct access to funds.
According to the ZeroFox Intelligence team’s Financial Services Quarterly Threat Landscape Report: “Social engineering was one of the most frequently reported intrusion tactics leveraged against the financial sector in Q1 2022, indicating human error remains a significant barrier to effective security practice. Threat actor tactics remained evolutionary rather than revolutionary, typically targeting employees and customers with rudimentary phishing emails and voice calls. Social engineering will almost certainly remain a threat to the financial sector as campaigns are demonstrably effective and offer a high return on investment.“
3 Social Engineering Threats to the Financial Services Industry
As mentioned above, social engineering campaigns have evolved to target a variety of different facets of the financial services industry. However, these attacks have moved beyond sending emails to customers with false information. Although the traditional methods of social engineering – phishing emails and text messages – are popular, the following three threats pose a particular risk in the financial sector.
1. Campaigns Targeting Cryptocurrency and NFTs
Cryptocurrencies and Non-Fungible Tokens (NFTs) have given rise to new social engineering tactics and goals on which threat actors can set their sights.
According to ZeroFox’s Threat Intelligence team, social engineering attacks directed toward the crypto market persisted throughout Q1 2022 as threat actors continued to leverage malicious emails and links on social media platforms to target digital assets. While it could be argued that targeting and stealing cryptocurrency is similar in nature to the theft of more traditional currencies, the rise of NFTs and the correlating rising actions of bad actors has been the bigger challenge.
One noteworthy phishing campaign took advantage of a contract migration on Opensea — one of the largest NFT marketplaces. By replicating official emails, threat actors tricked users into visiting fake websites and signing malicious transactions crafted to look like a legitimate OpenSea request, leading to the theft of hundreds of high-profile NFTs worth USD 2 million collectively.
Financial institutions that support either cryptocurrencies or traditional currencies are at risk for this type of attack. Adversaries continue to distribute infostealing malware — that specifically targets credentials linked to crypto wallets — to steal digital assets. Well-known strands, such as Cryptbot and Redline remain the most prevalent. However, ZeroFox Intelligence also observed an increase in newly developed strains throughout Q1 2022, including BHUNT, Blackguard, Mars, META, and ZingoStealer.
2. Phishing and Smishing to Distribute Malware
Although we touched on the trends of phishing and smishing in relation to cryptocurrencies and NFTs, the financial services industry has, and remains, a target for phishing attacks that target employees and customers alike in order to distribute malware or ransomware.
In the first quarter of 2022, social engineering campaigns have remained one of the most prolific means of distributing malware, successfully leveraged to disseminate some of the most dangerous strains, including Medusa and Flubot, Bazarbackdoor, Emotet, JSSLoader, Agent Tesla, and Redline. Payloads were typically delivered by malicious email attachments such as PowerPoint, Excel, CSV, and Zip files. Financial organizations should note the Q1 2022 TeaBot Remote Access Trojan phishing campaign that enticed user engagement by impersonating financial institutions.
In part, the strong trend of social engineering campaigns against the financial services industry could be due to the popularity of “phishing kits” that make it easy and profitable to distribute malware and collect PII. A phishing kit is a pre-constructed code that allows fraudsters to quickly deploy phishing sites. They’re sold and traded online across the Deep and Dark Web, social media sites, and forums. These kits operate in a similar nature to a SaaS product with various tiers and APIs. These are very popular because they offer a high return on investment for threat actors. They allow actors to quickly stand up a phishing site without knowing the back-end controls or leveraging an advanced skill set.
3. Conversation Hijacking
Conversion hijacking is a specific social engineering threat to financial services, as well as retail and the public sector, that often gets underplayed. Conversation hijacking is less covert than other social engineering tactics. This term refers to a type of targeted email attack in which cybercriminals insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered from compromised email accounts or other sources.
Conversation hijacking seems simple, but it is a very real threat that relies on manipulation, human error, and trust. According to ZeroFox Intelligence, conversation hijacking is likely to continue to be one of the most concerning growing social engineering threats.
Imagine you are emailing a large group of people on both your team and a few external contacts about a big project. If a hacker has gained access to someone on that team’s email, they may not immediately begin their attack. Instead, they might CC another threat actor, or even reply as the person who has compromised credentials, with seemingly innocuous questions that don’t raise any red flags. Then, as talks of budget come up, they might say that they need a form filled out with the credit card information or ask for login credentials to another software or portal being used in the project. Especially in the age of remote work, this can be an easy in for a bad actor.
Once the conversation has been hijacked, it can be difficult to back track and know what they got access to, making it crucial to never share confidential information online via email.
Outlook for Social Engineering Threats Against Financial Institutions
Although social engineering tactics will continue to be a steady threat to nearly every industry, there are a few actionable steps to take to safeguard against them.
- The first and most important step is to provide continual training opportunities for all team members and people who have access to email accounts or other company assets.
- Establish a clear protocol for accessing information, including two-factor authentication.
- Finally, create and widely disseminate information to raise awareness of possible threats and phishing scams for all customers and employees.
To learn more key insights and takeaways to safeguard against social engineering attacks against a variety of industries, download our Quarterly Threat Landscape Reports.