Fraud Alert – Social Engineering
A number of banking customers in Ireland have fallen prey to frauds that involve various forms of social engineering – where the information required is garnered from a person rather than breaking into a system.
Key Details – how does the scam work?
- Phone Fraud Scam
- Some businesses and individuals have fallen victim to a sophisticated phone scam. The fraudster uses an invented scenario to engage a targeted victim in a manner that increases the chance that the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
- An elaborate lie, it most often involves some prior research to establish legitimacy in the mind of the target.
- During the course of a phone call or series of calls, the fraudsters obtain enough information to take control of the victim’s bank account including full details of the online banking passwords.
- Email Account Hacked
- Personal email accounts of some customers (particularly company directors and individuals of high net worth) are being compromised, in many cases as a result of the individual responding to a phishing email.
- Having gained unlawful access to the company director’s email account, the hacker will familiarise themselves with their email correspondence.
- The hacker will then issue emails from this account, posing as the company director, providing an excuse as to why all contact with him must be by email (e.g.“I’m boarding a plane and will be out of reach”).
- The hacker may then either:
- Contact the bank pretending to be the company director, and instruct that a payment be made to a fraudulent beneficiary account.
- Contact a colleague in the company’s finance department (e.g. financial controller) instructing the issuance of a high value payment to a fraudulent beneficiary.
Action
- Attempts to ‘socially engineer’ staff into divulging sensitive data, whether this is banking data or some kind of client data, must be recognised by the recipient for what it is – criminal activity.
- In order to recognise such situations, all inbound calls/emails that seek any kind of sensitive information (banking data, transaction data, customer records etc.) or payment instructions should be treated as potentially suspect.
- Where a staff member receives payment instructions via email, enhanced checking procedures should be implemented at all times, e.g. call-backs must be made to ensure that customer emails have not been hacked. No customer information should be disclosed via email and payment instructions should only be processed in accordance with existing procedures.
- Businesses should adopt robust identification processes and ensure that all calls/emails from strangers who are seeking potentially sensitive information of any kind are handled with appropriate caution and that all instances of suspect calls are reported to management and to the Gardaí/Police .
Always remember: Your bank will never send you an e-mail requesting your bank security details.
This is a general notice issued by the Financial Crime and Security Department of the BPFI on Behalf of BPFI members.
*Social Engineering in this context means techniques of manipulating people to obtain information (via email or phone calls) or retrieving information from social networks for the purpose of fraud.
Disclaimer Note: The information contained in this alert notice is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this.