Social Engineering: Deception that Leads to Fraud

Nathan Schofield is a Senior Analyst I at AML RightSource. We encourage our team members

to share their insights and expertise by contributing to our content library.

Fraud and Social Engineering

Fraud impacts the lives of its victims through deception, often involving the improper disclosure of private information, which results in losses to its victims. Social Engineering is a type of fraud where the perpetrator uses deception through a scam scenario, often involving a false sense of urgency, to exploit the victim’s trust. Interpol defines Social Engineering as “a broad term that refers to the scams used by criminals to exploit a person’s trust to obtain money directly or obtain confidential information to enable a subsequent crime.[i]”

How Social Engineering Works

Both individuals and businesses can fall victim to Social Engineering scams, often through contact with scammers through social media, phone, text, or email. With the increased usage of internet-based business services, there is no in-person interaction, making it easier for a scammer to deceive victims into believing the scammer is a representative of a business.  

The perpetrator of the scam will often impersonate an individual or business with whom the victim has a trusted relationship. Through deception, the scammer will gain the victim's trust and coerce them to follow through on urgent action, such as purchasing property or resolving a security alert on a bank account. Once the victim takes the requested actions, the victim's funds and private information are then diverted to the scammer. Victims may be contacted through fraudulent emails, phone calls, or text messages. When a victim discloses personal information to a scammer through these means, they may also open themselves up to account takeover or identity theft.

Types of Social Engineering Scams

There are several types of Social Engineering scams that individuals may fall victim to. The most common include Business Email Compromise, Investment, and Imposter scams. In 2024 alone, the FBI received over 193,407 phishing and spoofing complaints, and Business Email Compromise (also known as BEC) scams caused $2.8 billion in losses[ii].

• Business Email Compromise: This scam happens when a scammer spoofs an email address used by a business and impersonates a company to steal funds from a victim[iii]. Although BEC initially targets businesses to initiate the compromise, individuals are often the ultimate target of the scam. Scammers may spoof the business email address or website, send emails to make victims believe they are communicating with a trusted sender, and deceive the victim into giving information and funds to them.

• Investment Scams: This scam happens when a scammer lures a victim through the promise of low and no-risk investments that are found to be non-existent[iv]. The scammer will first attempt to build a victim's trust over a period, resulting in the victim opening an investment account and moving and investing funds. When the victim is ready to withdraw their earnings, they will almost always find that their investment account is frozen, and they will have to pay additional funds (often disguised as taxes or fees) to unlock the account.

• Imposter Scams: These scams happen when a scammer impersonating an employee of a business contacts a victim through social media or a phone to persuade the victim to pay the scammer[v]. These often involve scammers impersonating banking and support employees, where the scammer contacts the victim about a fabricated “issue” where the customer's account is restricted and that requires them to transfer funds to the scammer to “fix” the issue and allow the customer to regain access to their account.

What to Look for in a Fraud Review

An analyst working on a fraud engagement should know what to look for to identify a Social Engineering Scam. At first glance, a customer's account may have been alerted due to an out-of-character or failed wire, Automated Clearinghouse (ACH), or Peer-to-Peer transfer. The analyst should also look for contact from the customer, especially with the customer requesting a transaction to be cancelled. Often, customers will contact the bank once they realize they are the victim of a scam and have previously transferred funds to a scammer. Probing questions should be asked to determine the customer's relationship to a scammer, if they were acting at the direction of a third party, and what scam scenario the customer was involved in. Analysts should also check the login activity for the customer's account to see if a third party has accessed the account and if there are failed logins or logins from outside the customer's geographic region.

Conclusion

Although Social Engineering is a threat affecting both businesses and individuals, these scams can be mitigated or stopped with proper awareness. Individuals and companies should be aware of what constitutes Social Engineering and make sure they are cautious when communicating with outside parties about sensitive personal and financial information. Analysts reviewing fraud cases should be aware of red flags and types of social engineering scams to accurately identify, mitigate, and report these occurrences. If an individual or business has fallen victim to a social engineering scam, they should contact their local law enforcement, and they can also file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

[i] Social Engineering Scams (https://www.interpol.int/en/Crimes/Financial-crime/Social-engineering-scams)

[ii] FBI’s IC3 Finds Almost $8.5 Billion Lost to Business Email Compromise in Last Three Years (https://www.nacha.org/news/fbis-ic3-finds-almost-85-billion-lost-business-email-compromise-last-three-years)

[iii] Business Email Compromise (https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise)

[iv] Investment Fraud (https://www.ic3.gov/CrimeInfo/Investment)

[v] How To Avoid Imposter Scams (https://consumer.ftc.gov/features/how-avoid-imposter-scams#types)