Under false identities, fraudsters will attempt to manipulate individuals with extraordinary promises of new funding, urgent access to their site to unlock their bank account, or aggressive claims of bill payment from unknown agencies.
Fraudsters may casually target an employee working for your organization. In the course of their duties, some of your employees are frequently asked to communicate, by telephone or e-mail, information about your organization with customers, suppliers and, for some employees, with government and financial institutions and colleagues.
Fraudsters can pretend to be one of these players. And by using pressure tactics such as urgency or threats of sanctions, or simply by exploiting naivety, fear or charm, fraudsters can induce employees to provide them with information, often confidential, or to commit acts in order to facilitate access to this information.
SOCIAL ENGINEERING FRAUD TECHNIQUES COMMONLY USED IN ORGANIZATIONS
Pretext
The fraudster develops a scenario designed to generate a sense of pressure or urgency to invite the potential victim to share confidential information. For example, you are informed that the organization’s bank account information has been compromised. To continue accessing the online account, you need to update the information quickly.
Employees may fear losing this online access when they have urgent payments to make.
Phishing and
and SMIshing (by text message)
Random e-mails are sent to various employees to encourage them to provide confidential information about your organization. For example, the employee might receive an e-mail from, apparently, one of the organization’s stakeholders, asking him or her to click on the link contained in the e-mail to update information.
The employee may not realize that this link has redirected him or her to a web page similar to that of the organization’s supplier, and may, unsuspectingly, enter the requested information there.
President’s fraud
Using a legitimate-looking e-mail, the fraudster pretends to be the organization’s president or a member of senior management. He asks an employee to make a bank transfer to complete a highly confidential and urgent transaction. To facilitate the collaboration of this employee, the e-mail may mention that he or she has been chosen for his or her discretion and the trust the organization places in him or her.
With this urgent request coming directly from the President, the employee may not apply the control procedures and make the payment.
TOOLS TO PROTECT YOUR ORGANIZATION’S EMPLOYEES
Here are some essential tools to protect you against social engineering:
- Check the recipient’s e-mail address to make sure it comes from a legitimate source. If in doubt, call the recipient directly.
In the case of President’s fraud, the e-mail address will contain an extra or different letter or number. - Examine the link contained in an e-mail by placing the mouse cursor over it before clicking.
The extension of this link must be consistent with the service provider or other stakeholders in the organization. - Watch for signs of manipulation, such as urgency, threats of sanctions, misspellings and language of communication.
This can help you distinguish the real from the fake. - Check the accuracy of the information before clicking on the access link in the e-mail from a financial institution indicating that the bank statement is available.
This link could lead you to a fraudulent site. We recommend that you go directly to the institution’s website. - Inform the person you’re speaking to that you’ll call them back later if they ask for confidential information about the organization. Dial the number you’ll find directly on the institution’s or company’s legitimate website.
Fraudsters can change the telephone number displayed on the caller ID.
Social engineering can cost an organization dearly, and can even damage its reputation. Training your employees will always be the essential tool for guarding against this kind of manipulation.
For other prevention tools or if you have any questions, we’re here to help! Write to us!
Phishing in English