Social engineering attacks in online banking: how to identify and fight them

In the ever-expanding digital realm, where convenience and connectivity reign supreme, online banking has become an integral part of our lives. We can access our accounts, transfer funds, and manage our finances with just a few clicks. 

However, this convenience comes with a price: cybercriminals have devised malicious tactics to exploit human psychology, using trust, curiosity, and ignorance to breach security systems.

These are called social engineering attacks. 

This article gives an overview of the main types of social engineering attacks, their impact on online banking, and helpful advice about how to identify and prevent them.

Social engineering attacks are attempts to manipulate individuals into divulging sensitive information or performing actions that let the attackers complete the fraud. 

Social engineering is not per se a way to complete fraud, but it opens the doors to fraudsters to perform Account Takeover.

This is where fraud happens. 

The latest massive attack in the banking industry goes back to last year, when a broad social engineering campaign operated by Brazilian criminals affected bank users in Portugal, Spain, Brazil, Mexico, Chile, the UK, and France.

Over the years, cybercriminals have carefully transformed their techniques from simple and easily detectable tactics, like impersonation, to complex psychological manipulations, making the impact of fraud on mental health a growing social issue. 

Recently, the evolution of Artificial Intelligence (AI) has facilitated the use of advanced social engineering techniques. 

The ability of AI algorithms to gather and analyze a large amount of data from various digital channels makes it easier to craft personalized and convincing messages that facilitate the success of social engineering attacks. 

Additionally, AI-powered chatbots or voice assistants can simulate human-like interactions, further blurring the line between genuine and malicious communication. Let’s stop and think about the powerful instrument cybercriminals have today: what would you do if you received a call from “your uncle” asking you to send him money for an emergency? 

The answer is clear… you would be another victim of the audio-deep fake scam. 

Audio deep fake is extensively used to complete Authorised Push Payment fraud, a specific type of social engineering attack that lure customers into making payments to fraudsters’ banking accounts. 

As AI advances, security professionals and online users must stay vigilant and employ robust countermeasures to protect against these evolving attacks.

As social engineering scams in online banking flourish, we will focus only on the most common scenarios to help you identify and avoid them. 

Phishing, smishing, vishing 

The most dangerous and widespread social engineering attack is phishing, where cybercriminals masquerade as trustworthy entities to deceive unsuspecting victims via emails, text messages (smishing), or phone calls (vishing).

Phishing attacks can be highly convincing, imitating reputable banks or organizations’ official logos, email templates, and language to trick users into divulging sensitive information, such as login credentials or credit card details, by clicking on a malicious link or replying to the message. 

Once obtained, this information can be used for fraudulent transactions, unauthorized access, or identity theft. 

Spear phishing

Spear phishing targets specific individuals inside organizations, as their successful infiltration can lead to more significant financial gains for the attackers. For this reason, it is more dangerous and difficult to detect than general phishing scams. 

This type of social engineering attack is highly used in online banking. 

Baiting

Baiting attacks use people's curiosity to make them fall into their traps. 

Through baiting, victims are offered something of value, such as free software, exclusive discounts, or irresistible deals containing malware-infected links or downloads. Once clicked or installed, cybercriminals gain access to sensitive data. 

In online banking, baiting attacks can compromise login credentials, granting attackers unauthorized access to user accounts and facilitating fraudulent transactions.

Pretexting

In pretexting attacks, cybercriminals assume false identities, often posing as trusted individuals or authorities, to trick victims into revealing confidential information.

Scammers may pose as authoritative figures, such as bank representatives or IT support personnel, and manipulate victims into providing personal or financial data. 

Pretexting attacks can compromise online banking security by exploiting trust and authority, leading to unauthorized access and financial losses.

Pharming

Pharming attacks redirect victims to fake websites resembling legitimate online banking platforms. 

By exploiting vulnerabilities in DNS servers or injecting malicious code into users' systems, cybercriminals misdirect victims to fraudulent websites, where they unknowingly provide their login credentials and other sensitive information. 

Pharming can lead to unauthorized access, identity theft, and financial fraud.

‍

Social engineering attacks have profoundly impacted online banking fraud, resulting in significant financial losses and compromised customer trust. 

When attackers access victims' credentials through social engineering, they can transfer funds, make fraudulent payments, and carry out other unauthorized transactions, causing financial harm to individuals and institutions. 

Social engineering attacks often involve the collection of personal information. Attackers can use this information to create fake identities, open fraudulent accounts, and commit identity theft, leading to long-term consequences such as damaged credit scores and reputations. 

Additionally, successful social engineering attacks erode customer trust in online banking systems. Instances of fraud and unauthorized access can make customers question the security measures in place, potentially resulting in customers abandoning online banking services altogether.

Cleafy’s communication pillar is to make it clear that attacks cannot be stopped. As said in our previous articles, phishing, SIM Swaps, APPs, and all other cyberattacks happen every second, and trying to stop them would be like trying to collect rainwater in a bassinet—a useless and resource-consuming task. 

To protect your customers and employees from social engineering scams, it is paramount to work in two directions: education and security. 

Reduce successful attacks with education and awareness 

Making your stakeholders aware of the issue will help them stay vigilant about possible attacks. 

Consider sharing information about social engineering attacks and best practices to avoid them as a consistent part of your daily activities.

Increase the security of your anti-fraud systems

Cybercriminals use social engineering to commit fraud through Account Takeover or Automated Transfer Systems.

To avoid ATO, it is essential to identify the users and how they behave and act on the banking channels to detect any anomalies. Integrating behavioral analysis, biometrics, and transactional analysis is the key. 

To fight ATS, instead, it is paramount to deploy a system with unique malware detection capabilities that can identify and stop even the most advanced malware. 

To block them before they hit, banks must rely on the right anti-fraud solution to monitor what’s happening across all digital channels throughout the user’s journey, even before the authentication phase occurs.

The Cleafy platform is a real-time, end-to-end detection & response system that can shield against these threats. 

As the digital landscape continues to evolve, individuals and organizations must stay vigilant against the ever-present threat of social engineering attacks. 

By recognizing the common types of social engineering attacks and understanding their impact on online banking fraud, banks can adopt proactive measures, such as raising awareness on the topic and integrating a solid fraud management solution into their security systems to be ready to fight every cyber attempt.