Social Engineering's Role in Cyber Fraud - And What We Are Doing About It
Cyber fraud doesn't stand still - and neither does The Intelligence Network, as we work to prevent it.
Cyber fraud doesn't stand still - and neither does The Intelligence Network as we work to prevent it.
See Also: Creating a Culture of Security
As outlined in our Vision for Tackling Cyber Fraud last year, social engineering - a prime example of industrialized criminal deception - is leaving modern society vulnerable in two separate ways. Principally, it allows criminals to execute fraud. But it also indirectly sustains fraud, by enabling cyber attackers to steal data.
From the work conducted by The Intelligence Network so far, we know that it's too easy for criminals to establish the false trust necessary to deceive individuals.
So The Intelligence Network, an independent coalition of over 2,000 members from across the cyber and fraud professions and beyond, is currently working hard to find new ways to disrupt social engineering mechanisms.
From the work conducted by The Intelligence Network so far, we know that it's too easy for criminals to establish the false trust necessary to deceive individuals. But we also know this problem can be addressed if organizations and individuals are able to swiftly (and legitimately) prove who they are.
In the current state, businesses and wider society are preoccupied with training individuals to make what are ultimately near-impossible judgement calls. And that means it's often been harder to tackle social engineering than it needs to be.
The Intelligence Network wants to change that. And, with the team from BAE Systems driving progress, we're building a framework of activity around reducing the opportunities criminals have to gain false trust.
Perspectives from across the cyber fraud lifecycle
We have brought together professionals from banking and insurance, law enforcement, and private sector backgrounds to better understand how we can start making social engineering tactics harder for the perpetrators. In doing so, we have identified four key themes / issues that the cyber and fraud communities must look to address:
1. Verified identity - the ability for an individual to verify the identity of an organization over digital channels is central to reducing our vulnerability to cyber fraud. This needs to be very simple to understand, and low effort for it to have an impact for the mass of consumers.
2. Norms and consistency - while some organizations can unilaterally change the expectations for their security (e.g. the HM Revenue and Customs commitments on the use of email) most cannot set norms and expectations in isolation. And while different practices prevail, fraudsters can use the differences to induce individuals to operate insecurely. We need to work towards consistent norms and good practice across financial services and other industry sectors.
3. Customer experience and friction - a major reason that the security of customer interactions is not improved further is the friction that security usually introduces into customer experience. Best practice currently constitutes trade-offs within the constraints of the possible. To improve security further we need to identify and develop practices and technologies that enable further improvements in security without increased friction.
4. Takedowns - while police prosecute where they can, most fraud control concentrates on blocking transactions and dealing with the impact. A more robust response from society to cyber fraud would also include the systematic collection of intelligence from financial institutions and victims and the use of this intelligence to disrupt fraud organizations, including freezing accounts and the takedown of digital infrastructure and other elements of their operations.
Key to improving this situation is collaboration within and between industry sectors with an interest in reducing the prevalence and impact of cyber fraud.
These themes will be taken forward by the Tackling Cyber Fraud project within The Intelligence Network. This project is currently working towards a full assessment of the risk of false trust, an exploration of the potential for two-way authentication, and a best practice guide considering the value of social engineering to those conducting cyber fraud. Please do reach out if you'd like to find out more.
- Learn more about our Vision for Tackling Cyber Fraud
- Become a member of The Intelligence Network
- Get in touch to influence the next steps of our social engineering work stream