How Social Engineering Can Affect Fintech Companies And What You Need To Do About It
Introduction
In the ever evolving and rapidly changing world of financial services, promises of speed and ease have to be balanced against a tidal wave risk of fraud. Social engineering is one of many fraud methods, but this fraudulent practice sets itself apart as a particularly underhanded and effective scheme. This post will take a closer look at social engineering in fintech - how it works, and what individuals as well as organizations can do to protect themselves.
The fintech industry has changed the financial sector completely, with modern ways to serve customers with innovative solutions in a simple and faster way. On embargo, this digital revolution also means that cybercriminals can abuse progressive technology for the purposes of crime. These days, social engineering (which essentially relies on manipulating human psychology) is now just as prevalent a threat. This is a threat understood by fintech, but it still undermines the foundations of any financial system if safeguards are not in place.
What Is Social Engineering?
Social engineering is a type of psychological manipulation where fraudsters deceive people into divulging confidential and personal information or doing security-related actions. Social engineering does not involve exploiting technical vulnerabilities, such as computer bugs or proprietary weaknesses, but rather targets human vulnerability.
Social Engineering Techniques Used Most
Phishing
Phishing is the most common type of social engineering which means an attacker will create and send what they consider to be a convincing email or message that seems like it came from someone you know. But usually they scam users to click a harmful link or give their confidential data. In 2023 alone, more than 2 million of these phishing sites have been detected by the Anti-Phishing Working Group which underscores that this is a matter where scale really matters (APWG, 2023).
Pretexting
An attacker creates a story with the purpose of stealing some information or having an action done (such as forwarding emails). An example of this would be a scam artist that pretends to represent the bank and steals one's account information. Pretexting = You need to google your customer before, where you try to collect all the information about your target through their online presence, be it on social media or different review websites.
Baiting
Baiting involves the promise of a good (bait) to distract victims from harm and lead them into danger. All the software downloaded for free that really installs malware in its place and many more. Baiting can also happen outside the internet, for example by simply walking around and distributing infected USB drives.
Quid Pro Quo
This is when an attacker offers a service or benefit to convince someone to give up information. For example, they might fake being IT support and help out with a problem in favor of the password. This takes advantage of the victim's need for help and their general reliance on people in authority.
Tailgating
Also called "piggybacking," tailgating takes place when an unauthorized individual follows a licensed particular person into any other area, benefiting from the latter's access privileges. This type of physical security breach may allow individuals to access sensitive information or systems. Imagine you entering your office building by swiping your ID card at the gate and the gate opens, another bystander sneakily snoops inside behind you before the gate closes.
How Social Engineering Affects Fintech
Since it is an industry that primarily runs on digital transactions and holds a lot of sensitive data, social engineering attacks are common in the world of fintech. The financial and reputational consequences of such attacks can be catastrophic.
Financial Losses
Each year, organizations are said to lose approximately 5% of their revenue to fraud; and social engineering is a big part of it as confirmed by the Association for Certified Fraud Examiners (ACFE). The global projected cost of social engineering attacks in the fintech industry is expected to surpass more than $2 billion by 2023 (ACFE, 2023). While the organizations themselves hit by ransomware must endure these losses, so too do their customers and stakeholders.
Reputational Damage
Trust is a crucial element to any fintech firm. A single successful social engineering attack can compromise the trust of customers and cause a big loss in revenue. Such breaches can news-hop the globe all over, heaping harm at a pace unprecedented in this era of social media. A PwC study showed that 87% of consumers would choose to leave a company if they believe their data is not protected.
Regulatory Consequences
You also have a series of very large and onerous data privacy laws coming into play where regulatory bodies worldwide are clamping down harder than ever before upon fintech companies with respect to stringent data protection requirements & compliance obligations. Social engineering breaches are well-known to lead to legal and financial consequences. Data breaches alone can rack up significant fines — for data privacy violations in the GDPR era, possible financial penalties under Article 83 fall at €20 million or 4% of global annual turnover—whichever is higher (European Commission, 2023).
Real-World Examples
The Twitter Bitcoin Scam
In July 2020, bad actors used social engineering to hack into some of the most recognizable Twitter accounts in history: Elon Musk. The accounts were then used to promote a Bitcoin scam, which led to over $100k in losses. Companies like Twitter continue to be vulnerable as the breach was ultimately achieved through a spear-phishing attack on Twitter employees, illustrating that this mode of social engineering is still ascendant (BBC, 2020). The matter of real importance highlighted how critical it is to ensure that systems are locked down inside and employees are trained in what phishing looks like.
The Robinhood Data Breach
Robinhood, a popular trading platform, was hacked in November 2021 and up to about 7 million of its customers were affected. The breach was accomplished through a social engineering attack targeting a customer support employee, highlighting that even the largest fintech firms can be susceptible to such means of deception. The hackers gained access to customer names, email addresses, and in some cases other more sensitive data (Bloomberg, 2021.
The Google and Facebook Scam
From 2013 to 2015, a Lithuanian scammer ran a social engineering con that swindled Facebook and Google out of more than $100m. The scam artist pretended to be an Asian manufacturer and sent the businesses counterfeit invoices that were paid out without authorization. This case just goes to show how much money can be lost through social engineering, and also why we need KYC (The Guardian, 2019).
Protection Against Social Engineering
The level of threat is particularly risky but there are a couple of things that can be done to reduce its impact both for individuals and organizations.
For Individuals
- Be Suspicious: Never respond to, nor click on unsolicited communication, wanting personal information. Stay in touch directly with the organization using official links. Do not click on links or downloads from strangers.
- Diligently Read: Learn about the latest social engineering ploys and how to identify them. The first line of defense is awareness. Online learning, there are many great training and information about cybersecurity. Watch some webinars, online courses, or cyber-awareness programs.
- Turn on Multi-Factor Authentication (MFA): MFA can add another layer of security to each of your financial accounts. And a hacker wouldn't be able to secure the second factor, which makes it near impossible for them even if they manage to get your credentials. The various MFA options are SMS codes, authenticator apps, or biometric verification.
- Check accounts regularly: Be vigilant about your financial accounts for any signs of fraud. Without early intervention, the damaging effects will be exacerbated. Establish alerts for suspicious transactions and monitor account statements regularly.
For Organizations
- Employee Training: Provide regular education on social engineering techniques to employees and how to properly respond. In particular, simulated phishing exercises work well. Cultivate a security-conscious culture in which people are not afraid to report wrongdoings.
- Strong Policies: You should have and enforce strong security policies (especially the principle of least privilege) where you allow employees to access only what they need for their jobs. Review these policies often and update where necessary to meet current threats.
- Invest in Technology: Deploy advanced security solutions like email filters, intrusion detectors, and behavioral analysis tools in order to detect and prevent social engineering attacks. Deploy endpoint protection solutions and DLP to protect sensitive data.
- Incident Response Plan: Create an incident response plan and update it regularly to respond quickly and accurately to breaches. Perform drills on a regular basis to test the plan and maintain preparedness among all employees.
- Control Vendor Risk: Make sure your vendors and third-party service providers follow the security standards you require. Perform frequent real-time or snapshot audits to diagnose their adherence and correct/mitigate any weaknesses.
Conclusion
Fintech companies face common risks associated with various digital threats from social engineering tactics, which technically tricks people rather than technology. By knowing these social engineering attacks, individuals or organizations can safeguard themselves from this most dangerous cyber threat.
Call to Action
For individuals, stay aware, keep the information up-to-date, challenge unsolicited requests for information, and employ multi-factor authentication with every account. For organizations, keep your security policies strong and maybe invest in some employee training or other technologies to be able to detect and prevent them. Make our fintech ecosystem safer, with your help.
By doing this, it will allow us to do our part in preventing the potential headaches social engineering can bring with your financial systems. Thus, be careful out there and keep yourself safe!
About the Author Harsh Daiya is a seasoned Engineer at a leading Fintech company, boasting over a decade of experience in payments, fraud prevention, risk management, and compliance, he holds a Master’s degree in Management of Information Systems from the University of Nebraska Dedicated to ensuring safe and seamless financial transactions online, Harsh leverages cutting-edge tools to develop secure platforms for commerce. He is adept at modern data processing and scaling, and is skilled in building high-growth teams. Harsh is also an advisor and investor in the Fintech space, with extensive experience working on products that scale to millions of users and risk solutions that monitor millions of dollars in payment volume. His extensive experience in risk management and fraud prevention, combined with his expertise in artificial intelligence, positions him as a pioneering voice in the future of financial technology. He shares his expertise through tech blogs on harshdaiya.com and also writes on Medium. In his latest book, "The Future of Fintech: AI in Risk Management and Fraud Prevention," Harsh delves into the transformative impact of AI on the financial sector, offering invaluable insights and practical strategies for navigating the evolving landscape. When he’s not writing or consulting, Harsh enjoys hiking and spending time with family. About Paypal PayPal has been revolutionizing commerce globally for more than 25 years. Creating innovative experiences that make moving money, selling, and shopping simple, personalized, and secure, PayPal empowers consumers and businesses in approximately 200 markets to join and thrive in the global economy. For more information, visit https://about.pypl.com
Phishing Statistics Financial Losses Due to Fraud Reputational Damage Statistics Regulatory Consequences Google and Facebook Scam Citations and References
