In a world in which bad news dominates, social engineering scams that carry a promise of good news can be incredibly lucrative for cyber criminals.

In one recent example, fraudsters set up a phony job posting using a real recruiter as the contact person for the hiring process. Applicants hoping for a chance at the too-good-to-be-true position were instead talking with a fake email address. About 100 people applied, with many submitting very personal and private information.

The LinkedIn scam is just one of many in a long line of never-ending social engineering examples that exploit our human desire for good news. And because these campaigns are successful, we will continue to see them spread for years to come.

These scams seem to work well on the general public, but surely they can’t be as lucrative in the enterprise setting. Or can they? Why do we keep falling for them? What can businesses and agencies do to level up their social engineering prevention game?

Frank Abagnale, the subject of the film “Catch Me If You Can” and author of “Scam Me If You Can,” has been working with the FBI for more than 40 years assisting with forgery and fraud investigations. Abagnale, one of the pioneers of social engineering scams, has seen it all and understands the psychology behind the scams.

Who is susceptible to social engineering?

According to Abagnale, the success rate of scams on the general public and the enterprise are just about equal.

“Remember, I used social engineering almost fifty years ago when I called Pan Am’s corporate headquarters and asked to speak to someone in purchasing,” he says. “I gave them a phony name and said I was a pilot based out of San Francisco. ‘I was on an overnight and due to fly back today. I sent my uniform out through the dry cleaner and now the hotel and the cleaner tell me they can’t find my uniform,’ I said.

“The purchasing agent said that I was responsible for the cost of the uniform. I told him I understood that. He then told me the name of the uniform company in Manhattan, gave me their address and told me that he would call ahead to let them know I was coming. To top it off, the uniform company said they would bill it back to Pan Am under uniform allowance and asked me for my employee ID number. When he handed me the form, there were boxes with the exact amount of numbers needed to make up the employee ID number. So I made it up.”

At the time, Abagnale had no idea what social engineering was; it didn’t occur to him that he was socially engineering anyone.

From phone scams to email scams

Fifty years ago, the only way to scam a company by talking your way in was the landline telephone. Today, we have the internet, text messages, emails, social media and more.

What if you’ve already fallen victim to social engineering or another type of scam at the office or at home? Don’t feel bad. Regardless of pretty much any demographic you can think of, we are all susceptible to scams.

“When I finished writing “Scam Me If You Can”, I realized that millennials are scammed more often than seniors, but seniors lose more money because they have more money,” Abagnale says. “I truly believe that anyone can be scammed, including me. Some of the most intelligent people in the world get scammed every day. If you are scammed, this is nothing to be embarrassed about, but it is important that you tell someone, whether it be law enforcement, a loved one or a friend.”

Which scams work best?

Let’s return to the LinkedIn job scam. The promise of something exciting awaiting on the other side can be incredibly enticing to anyone who needs a jolt of positivity. (So, probably all of us.) But according to Abagnale, it’s not always social engineering that plays on good news that work on our psyches. Prevailing negative emotions can prove equally effective at provoking action, even when our instincts are skeptical.

A notable tactic for scam artists is that they follow the headlines, Abagnale explains. Whether it’s the pandemic, vaccines or unemployment, fraudsters will create scams based upon the news.

Inside ‘the ether’

The psychology behind the scam is fascinating, and critical to unraveling how we fall for them.

“Scam artists put individuals under what I call ‘the ether’,” Abagnale says. “Ether is a condition of trust and even infatuation with what is being presented to the victim. Getting a victim under the ether is crucial to all cons, no matter where or how they are perpetrated. The heightened emotional state makes it hard for the victim to think clearly or make rational decisions. To get their victims under the ether, fraudsters hit their fear, panic and urgency buttons.”

According to Abagnale, the best con artists know how to use a comforting and confident tone of voice. That ushers people under the ether, preying on vulnerabilities. The scam artists seduce their victims into revealing personal information.

“The effect can almost be hypnotic,” he says. “A good conman keeps the victim up in the altitude of the ether, because once they drop into the valley of logic, the conman loses them. To introduce the ether, the con artist asks questions that trigger emotional responses. Once a con identifies your triggers (good news or bad news), he uses them as part of the pitch to drive you to a heightened emotional state. The questions he asks help him create a target profile that contains information he can use in follow-up calls, to keep you under the ether until you seal the deal.”

Be more skeptical

With scam after scam, victims keep making the same mistakes. The signs are there, but somehow we ignore them. Worse, technology allows fraudsters to make their social engineering scams appear even more legitimate.

Abagnale says that in every scam, no matter how sophisticated or how amateur, two red flags stand out.

The first occurs when the social engineering trickster asks you for money, but you must act immediately. They’ll ask for your credit card number or your bank account number. They might even request you stay on the call with them while you purchase a prepaid credit card and read the number on the back.

The second red flag is when the fraudster asks for information. This might be your banking info, social security number or date of birth.

“It is important to remember that you didn’t solicit the call or email,” says Abagnale. “You have no idea who is on the other end of that device, so before you part with any money or information, you need to verify if what you are being told is true. Remember, we live in a world today where anything can be manipulated, replicated, counterfeited or deepfaked. People are basically honest, and because they are honest, they don’t have a deceptive mind.”

Strategies for the enterprise

So, deceptive and well-armed people stand on one side of the equation. Honest and essentially disarmed people stand on the other. It’s indisputable where the power lies. So, the enterprise must do everything possible to arm itself with what cybersecurity experts have been championing for decades: awareness.

“Education is the most powerful tool to fighting crime,” Abagnale says. “If you don’t train your employees in the call center to recognize they are being socially engineered, tricksters will turn the conversation around and get the individual in the call center to provide information they normally wouldn’t provide. No matter what technology you have, if you aren’t training people well, you are only creating future problems.”

Testing the bounds of human curiosity

Abagnale sometimes visited Fortune 500 companies to talk to employees about protecting the information entrusted to them. His plan: to drop a number of USB devices marked as confidential around the employee parking lot.

During lunch break, he’d review his laptop to see who opened the USB stick. Employees who opened the USB file were met with a message that stated “This is a test, and you failed.”

Many failed the test.

The lesson? Education is the key strategy to being vigilant. And part of that education, according to Abagnale, is to question everything.

“Never engage a stranger in dialogue about your personal life,” he advised. “Don’t reveal any personal information — not just account information, but also names of family, friends and pets. Every time a stranger asks you a personal question, ask this question in return: ‘Why do you need to know?’ Remember that you don’t owe anything to a stranger — not information, consent to buy whatever they are selling or anything else.”

The future of social engineering scams

During the pandemic, many employees are not at the office, and calls may go to voicemail. So, many phishing emails masquerade as a voicemail file from the phone system.

Whether it’s in our personal or work lives, Abagnale suggests we keep our eyes open about the multitude of social engineering scams related to government aid programs, which are very lucrative for fraudsters. In California, for example, fraudsters charged up to $700 USD for anyone who didn’t qualify for COVID-19 relief money but wanted to file unemployment claims anyway. During the pandemic, the federal government gave $630 billion to the fifty states for unemployment insurance. To date, people have filed $68 billion in fraudulent claims, but the inspector general estimates closer to $100 billion.

“Since the government relieved the states from any liability of fraud, very few precautions were taken by the states when handing out the money,” Abagnale says. “Anytime the government gives money away (hurricanes, national disasters, pandemic, PPP Loans), 10% of that money will go out to fraud. So, if the government is about to give away $6 trillion, one could expect $600 billion will be fraudulently obtained.”

Finally, we can’t simply assume that the scams we see today will be the same in the future. As technologies like deepfakes and other AI progress, cyber thieves will use them to their advantage and change social engineering scam tactics.

“Cyber crooks are evolving,” Abagnale says.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…