The silent threat of social engineering

Cybercriminals are always looking for different ways to gain access to client information and one such technique is called ‘social engineering’. This approach focuses on human emotions, which means how individuals think and how they act can determine if these attacks are successful.

Social engineering uses manipulation to trick people into making security mistakes or giving away sensitive information. The main skill required to overcome its deceptive tactics is vigilance. By staying aware and informed, employees can help protect your company and clients while individuals can help protect themselves and their families. 

Scams to watch out for

Social engineering scams can come in many different forms using many different mediums. The most common types include:

• Phishing – scam email with fake offers, instructions, and links
• Lookalike websites – creating realistic-looking copies of legitimate websites
• Domain spoofing – faking website names or email domains
• Smishing – phishing using SMS/text messages or social messaging apps
• Vishing – phishing using voice (such as phone calls)
• QRishing – phishing using QR codes which link to scam websites or apps

Some of the most convincing methods involve impersonation of either trusted brands or individuals:

• Impersonation attempts – to make their requests seem more believable, scammers will often impersonate known individuals such as famous people or known contacts to endorse their requests. For example, scam messages delivered via WhatsApp may include legitimate names and pictures to make them look convincing, but are in fact fraudulent.
   
• Fake authentication requests – scammers also impersonate trusted brands, like Microsoft, to encourage the individual to accept authentication requests (like the one shown below) or share one-time passcodes. Of course, employees and clients should never share passwords or passcodes with anyone and never approve an authentication request they did not initiate.

Think the Four S’s 

When receiving unsolicited communications, we recommend that employees and clients think about the Four S’s:

1. Sender anomalies

Scammers may use a domain or a sender’s name that is similar to a legitimate, known entity (such as Microsoft) but subtly different. Employees and clients should always check the sender’s contact details carefully. A fraudster may swap letters or numbers in an address to create a lookalike, for instance “amaz0n" instead of “amazon”.

2. Suspicious contact

Individuals should exercise caution when contacted by unfamiliar sources. In addition, they should validate urgent requests, including from internal contacts, before acting.

3. Suspect links

Employees and clients should be particularly wary of links and attachments in emails as they could potentially lead to malicious sites and install malware on devices. Links in an email may seem to be perfectly valid but should always be checked – if you hover your cursor over the link you will reveal the true destination. If in doubt contact the sender.

4. Sense of urgency

Emotive language or a soon-approaching deadline aiming to pressure the recipient into fulfilling an action quickly is also a tell-tale sign the sender is unlikely to be genuine. Employees and clients should check and verify before they act, taking time to investigate, and try to avoid feeling rushed into doing something they know they shouldn’t.

Actions to help fight fraud

If someone doesn’t fall for the bait, the scam won’t succeed. As such, we recommend your employees follow these tips to help fight fraud:

• Report suspicious emails: it should not be assumed a message is genuine because the email sender appears familiar. 
• Protecting passwords and PINs: Ensure accounts and apps are protected by adding Multi-Factor Authentication (MFA) wherever possible. Individuals should never give away, share or re-use passwords, PINs and one-time codes.

For more tips on how to protect your business from cyber threats, visit our dedicated cybersecurity hub.

How we protect you and your clients

We understand the importance of keeping your firm’s and your clients’ information safe and secure. We use proven, industry-recognised security tools and processes to protect against fraud and security breaches and we regularly upgrade this protection in response to advances in security threats.

Fidelity is a member of Cifas, the UK’s fraud prevention agency, which works closely with law enforcement partners. Cifas Protective Registration is a fraud protection scheme that helps us protect your clients should they be at risk of fraud.

If you have any concerns about security, please call us as soon as possible on 0800 358 7717.

Issued by Financial Administration Services Limited, authorised and regulated by the Financial Conduct Authority. Fidelity, Fidelity International, the Fidelity International logo and F symbol are trademarks of FIL Limited. UKM0925/415093/SSO/0926