Table of Contents

How to Detect Social Engineering Account Takeovers 

Account takeovers (ATOs) resulting from social engineering are commonplace. This is likely because they’re easy to execute even for novice fraudsters. Sprawling communities of scammers gather to share successful methods, sell credentials and provide money mule services to each other.

According to Javelin Research’s annual “Identity Fraud Study: The Virtual Battleground” report, account takeover increased by 90% to an estimated $11.4 billion in 2021 compared with 2020 — representing roughly one-quarter of all identity fraud losses in 2021.  

With such a pervasive and ubiquitous threat, many companies struggle to protect their customers from these attacks. They wonder, “How can we prevent a customer from giving their login credentials to a fraudster?” The inconvenient truth is that you can’t.

But, you can detect a fraudulent session from an ATO. How?  By observing signals that indicate a fraudster is at work: characteristics of the browser and device they’re using, their location, account changes and on-page actions they take during a session — even the way they type or tap their touchscreen. All these combine to create a holistic pattern indicating a user is legitimate.

Let’s take a deep dive into the social engineering tactics fraudsters use, and we’ll wrap up by exploring how modern detection methods can keep them at bay. First, we should define what social engineering is and how it works.

What is social engineering? 

Social engineering is a form of psychological manipulation that gets people to perform specific actions, typically divulging confidential information or providing access when they shouldn’t. All social engineering techniques are based on particular attributes of human decision-making known as cognitive biases. 

Fraudsters exploit these biases, or “bugs in human hardware,” in various combinations to support goal-specific attack techniques. The goal isn’t always to acquire credentials; social engineering can gather any information that a party wouldn’t want falling into the hands of a hacker.

For example, a fraudster might not be able to get high-level credentials by talking with a low-level employee. Instead, they can probe for other important information: the applications their company uses, their usual communication channels, email formats, and the names of IT admins. 

Gathering information like this makes it much easier to impersonate a trusted co-worker – or service desk representative that a customer may believe they are interacting with – during a phishing attack.

Why is social engineering successful so often?

While reading this article, you might sit back and think, “I would never allow myself to be manipulated. I’m too savvy.” The truth is that no one is immune to social engineering. All it takes is the right leverage or context; you’re just as vulnerable as anyone else. We’ve categorized key vulnerabilities into six “principles”: 

Authority

Attackers will pose as an authority figure to coerce the target into complying without asking questions. For example, they might pretend to be a security administrator, a fraud prevention officer or a higher-ranking employee. 

This works both internally and externally: employees might comply because they’re outranked; customers may believe an individual who claims to be a “fraud prevention officer” because it sounds important and authentic. In either case, the veneer of authority can be quite convincing.

Intimidation

The victim is made to believe there will be negative consequences if they don’t cooperate. Consequences could include threats such as, “Your bank account will be frozen,” while others might convince the target they’re in legal trouble.

Consensus

Scammers create a phishing page with numerous fake comments or reviews, which leads the victim to believe that other customers are happy with their “purchase.”  With this false social proof, the victim follows through with the fraudulent purchase, except they’re handing over confidential information rather than making a transaction.

Scarcity

Bad actors use the sense of scarcity to create an environment where the victim feels they have to make a quick, often irrational, decision. For example, a common tactic is offering a hard-to-find item, such as the highly sought-after Playstation 5, at a competitive (or unbelievably low) price. 

But the user “must act now” because supplies are diminishing fast. Of course, this is a ploy to trick the user into handing over private information — the fraudster has no intention of selling a gaming console.

Urgency

Attackers use urgency as a time-based psychological principle of social engineering. For example, saying offers are available for a “limited time only” encourages sales through a sense of urgency.

Familiarity

The attacker manipulates the victim by impersonating a well-known person or trusted individual to endorse the product being sold. The bad actor uses their reputation to build a sense of familiarity with the victim.

A typical social engineering method combines two or more of these, typically leveraging whatever information is available to create a more convincing story.

Social engineering methods used by fraudsters

Now that you understand the vulnerabilities exploited by cybercriminals, let’s explore the most commonly executed social engineering methods.

Phishing

Phishing is the most common social engineering attack. While variants can take place over virtually any communication channel, email is the most frequent. Other forms of phishing via SMS or voice communication, or “smishing” and “vishing,” are described below.

In a typical email phishing attempt, the fraudster sends an email that appears to come from a legitimate party — like a bank or retailer — requesting credential “verification” and warning of dire consequences if they ignore it.

The email contains a link to a fake web page that appears authentic, with company logos, a genuine-sounding URL, and a familiar layout. This fraudulent page contains a form requesting the user “verify” information like credentials, a home address, an ATM card PIN or a credit card number. 

Making a fake website or email look authentic by mimicking a legitimate organization’s HTML is relatively simple. By indiscriminately spamming huge groups of people, the fraudster expects at least one of their targets to “bite.” While only a tiny percentage will engage with their scheme, a large number of recipients means they can net a sizeable catch of victims. 

Phishing may also be as simple as convincing a target to email back with the requested information simply. Not every phishing scheme requires coding or fake websites, and some victims are willing to provide confidential information by directly replying.

Vishing

“Voice phishing” or vishing is the criminal practice of using voice communication to gain access to private information. Attackers also employ it to gather more detailed intelligence on a target or an organization.

Smishing

Using SMS text messaging for phishing is known as “smishing“. Like phishing, it can be tapping on a malicious link or divulging information. For example, a smishing text message might claim to be from a mail carrier and state a package is in transit with a link provided. 

Impersonation

Pretending to be a legitimate person to gain access to a system, account or building. Impersonation is used in SIM swap scams in which a fraudster pretends to be a legitimate user activating a new SIM card on their cell phone plan. 

Convincing a mobile carrier employee to activate the new SIM effectively diverts text messages to the bad actor — and allows them to circumvent SMS-based two-factor authentication (2FA)

How Transmit Security detects social engineering fraud 

Transmit Security identifies suspicious device configurations, application activity and biometric behavior during the customer’s interaction with your application or web service. By analyzing behavioral biometrics, such as keyboard and mouse interactions, we can draw a sharper contrast between trusted users and would-be imposters. Deviations in keystroke velocity, mouse movement, and session activity are compared to the user’s historical profile.

We can detect attacks in real time by combining behavioral biometrics with complex network and device telemetry. This is true even when the threat actor checks all the typical boxes: correct credentials, proper IP location, and passing the 2FA challenge. While most detection signals aren’t enough to stop a session, they weave together to show a more accurate picture of who is logged in.

Here are four detection signals that can identify potential ATOs, even if attackers have successfully phished a user’s credentials or personal information.

Network reputation

Network reputation tells us when suspicious IPs are trying to access users’ accounts. Fraudsters hide their tracks using Tor (anonymous) browsers, data centers, proxies and anonymizers. 

The service detects malicious IPs that have a bad reputation or have been involved in previous attacks by using a network with a reputation of over 1B entities.

Geoanalysis

Geoanalysis uses network data to determine users’ geolocation and flags new locations that are not part of the user’s profile or ones that don’t match learned user behavior,  impossible travel, or locations with bad reputations.

Device intelligence

Device intelligence is built by analyzing the user’s trusted devices over time. Devices that are used over some time are trusted due to built-up reputation. New devices lack any reputation and are potential suspects for social engineering. 

However, you don’t want to punish a legitimate user for logging in from a new device. Other device and network indicators can be gathered through a device’s browser and raise the appropriate flags. Tools such as emulators, virtual machines, malware, RATs, spoofed devices, or device farms strongly indicate fraudulent activity.

Behavior analysis

We can detect abnormal behavior by analyzing the user’s interaction with the device during the session journey. Interdiction based on behavioral analysis can occur when a user’s interactions differ significantly from their typical behavior. 

We can use the historical profile of the user’s actions combined with many behavior-based data points, such as the average time to carry out a specific action. 

Learn how to detect fraud without disrupting customers 

You’ve learned how social engineering works, why it’s often so successful, and a few of the different signals that can catch fraudsters in the act. Ready to find out more about stopping fraud? 
You can explore even more educational resources with our Research Lab hub. Try starting with a related article on why hacking today is so easy.

Authors