The key trend of the last year and the start of this year in attacks on the financial sector has been social engineering, a combination of psychological manipulation techniques based on emotions (fear, trust, greed, willingness to help other people) and high technologies used to access a system from the inside without hacking the security system.
Engineers of the human soul, but malicious ones
According to Kaspersky Fraud Prevention, 2 percent of online sessions were fraudulent in 2019, with another 16 percent having signs of malicious activities.
Sixty-three percent of those incidents were related to malicious software or remote access tools installed on devices. It should be noted that victims installed malicious programmes themselves influenced by telephone calls from criminals who introduced themselves as employees of banks, including even the Bank of Russia, or offered ‘profitable investment options’.
However, social engineering also involves methods where a worm or a trojan is uploaded to, let’s say, a P2P network and is assigned a name that is likely to attract attention of a user who will download and launch the file themselves.
Apart form customers, social engineering also targets bank employees in attacks on the bank infrastructure. Large companies also face cyber crimes, as access to their commercial data can generate substantial revenues.
Back in 1984, at the dawn of the computer era, Professor of Psychology Robert Cialdini introduced six principles of social engineering in his book Influence: the Psychology of Persuasion:
- Reciprocity (people do good in exchange for good).
- Consistency (people tend to be consistent with beliefs corresponding to their values).
- Consensus (people agree with the majority).
- Authority (people follow the lead of those who have earned trust and respect).
- Liking (people enjoy saying yes to people they like).
- Scarcity (people want to have things that are unavailable).
Cybercriminals use diverse techniques. One of them is the infamous phishing, which is far from the most sophisticated method. However, financial technologies help prevent most penetration attempts alongside initiatives aimed at raising cyber security awareness among customers and employees (particularly, key employees).
Fintech in the service of the light side of the Force
Effective anti-fraud measures include introduction of behavioural biometrics, which helps identify unlawful transactions; differentiation of employees’ access rights and control over their actions, which prevents leakage of confidential information; and comprehensive protection of the company’s internal systems. Another important area is the protection of mobile apps offered by banks, including malware scanning before giving access to the bank account.
Protection can also be strengthened by introduction of permitted procedures for data handling or cyberspace activities, which, once violated, raise alarm, allowing IT or even security employees to take leakage prevention measures or detect malware.
Another effective fintech solutions is to restrict rights related to accessing, copying, downloading or updating information. Such rights should be granted only to employees whose duties cannot be fulfilled without certain data.
Differentiated access levels
A blanket ban on using removable storage devices could be a good option, too. It can hardly be called a fintech solution, but now we are talking about security in general.
It would be rather useful to restrict employees’ access to email, Skype, Zoom, various messengers and internet relay chats (IRC), as these channels are often used by criminals to penetrate a system and use social engineering techniques.
Fintech solutions are increasingly frequently used to carry out penetration tests (also known as pen tests). Their purpose is to use a wide range of data collection and analysis tools to identify the company’s behavioural vulnerabilities. Test results help to develop recommendations on plugging the holes in the information security system. A pen test imitates a real attack, but it is carried out without a malicious intent, but for opposite reasons. Its goal is to eliminate system vulnerabilities rather than to identify the most credulous employees and punish them. It is not about punishments or sanctions.
