Social Engineering: Fraud Starts with the Human Mind

/

Las Vegas financial crimes detective, Marc Evans, CFE, began his presentation on social engineering at the 36th Annual ACFE Global Fraud Conference with a typical greeting to the audience. He thanked everyone for coming to his presentation even though it was an early 7:30 a.m. session. As a law enforcement official, he asked the crowd who else was in law enforcement and gave a brief rundown of his career. Evans talked briefly about the company he started, Fraud Hero, and he talked about Nashville and compared it to Las Vegas, his home. 

Then, Evans held up a card. He said, in honor of Las Vegas, he was going to play a little game and give away a $50 gift card to someone in the audience. All someone had to do was scan a QR code he displayed in his presentation. You could hear the crowd of fraud fighters chuckle with skepticism. 

Evans pulled up a slide that read “GOTCHA!!!” He had just applied social engineering on the crowd. He created trust, a sense of urgency and provided a fake incentive. The “gift card” he showed was actually his hotel key. 

What is Cyber Fraud and Social Engineering? 

“Fraud isn’t just digital,” said Evans. “It starts with the human mind.” 

Evans defined cyber fraud as criminal activity using technology to steal money and data, and he said social engineering is manipulating individuals to perform actions or provide confidential information. 

Evans’s presentation, “Unmasking The Connection: Social Engineering and Cyberfraud,” came at a tumultuous time as people try to avoid falling victim to scams. According to the Federal Bureau of Investigations (FBI), in 2024, $16 billion was lost due to internet crimes in the U.S. $9.3 billion of that involved the use of cryptocurrency, and citizens 60 and older lost $4.8 billion (the most for any age group). 

The top scams of the year were investment scams ($6.5 billion in losses), business email compromise ($2.7 billion) and tech support scams ($1.4 billion). 

The Dangers of Social Engineering 

90% of cyberattacks start with social engineering. No tech skills are needed to commit these frauds, and they target people and not computers. This makes traditional cybersecurity tools ineffective. 

“Humans are the weakest link in security,” said Evans. “But we are also the first line of defense.” 

Scams that began with social engineering include: 

  • Business email compromise (BEC). 

  • Ransomware. 

  • Account takeover. 

  • Investment scams. 

  • Romance scams. 

  • Tech support scams. 

Common social engineering scams include: 

  • Deepfake and artificial intelligence (AI) scams. 

  • Tech support imposter. 

  • Bank imposter scam. 

  • Investment scam. 

  • Grandparent scam. 

  • Romance scam. 

“Here’s [a] thing I tell guys when it comes to romance scams: know your number,” joked Evans. “If she looks like Scarlett Johansson, and you’re a 4 — I’m just being honest, okay.” 

A Scam Example 

Evans shared a scam that he investigated a few years ago. “Jane” was working the graveyard shift at a casino and received a call from who she believed to be the fire department. Jane was directed to check all fire extinguishers and smoke alarms to make sure they were up to date, so she went and took photos of all of them. Jane did not know how to read the codes on the devices, so she was told to text the photos to a number. She was told all the fire sensors were out of date, and if this was not corrected immediately, the casino would need to be shut down. 

The caller took down Jane’s cell phone number, just in case she was disconnected on the business line. After that, she began receiving messages from who she believed was her manager (Jane did not have her manager’s number saved, so she was not able to verify). Her “manager” told her “We have to get this done now,” and was then told the CEO of the company would call her at work. Jane talked again to the “fire department” and then received a call from who she thought was the CEO, who told her to collect all the money she could and go pay a lawyer. Jane took $320,000 from the casino’s vault and was instructed to head to a Bitcoin ATM. She deposited $6,000 because there was a limit on the ATM and was instructed to hand the rest of the money to a “lawyer” who met her at a gas station. Jane learned that more money was needed, so she retrieved more money and met with a second lawyer. She was instructed to procure more money, and the process repeated. 

In total, Jane took more than $1.1 million and dropped it off to people she believed were lawyers that her CEO was telling her to pay. Jane was not arrested for the scheme, because she was a victim, but she ended up losing her job of 20 years. 

Around the same time, Evans heard similar scams happening around the country. He showed headlines of situations involving Sam’s Town Casino, the Circa Hotel and Casino and a grocery store. He also heard the scam happened at marijuana dispensaries, gas stations, cookie shops, retail stores, fast food restaurants and more. 

“A business fell victim to it,” said Evans. “Sometimes in large amounts and sometimes in small amounts, but they fell victim to it, so this can happen to anyone or any business.” 

The Phases of Social Engineering Scams 

  • Data gathering

    • Data breaches.

    • Internal breaches: Employees steal information.

    • Mail theft and burglary.

    • Data broker websites: TruthFinder, FamilyTreeNow, Spokeo.

  • The approach: How are fraudsters going to execute the scams? Evans said impersonation and imposter scams are the most common right now.

  • The cyber execution: How will the fraudsters conduct the scam?

    • Phishing, vishing and smishing.

    • BEC: fake invoice with updated wire information.

    • Remote access tools (RATs) to monitor and steal.

Reasons People Fall for Scams 

  • Authority and trust: A scammer pretends to be an authority figure. 

  • Urgency and fear: “Act now or you’ll lose money.” 

  • Greed and opportunity: “You won a prize! Click here to claim it!” 

  • Curiosity: Unexpected messages spark interest. 

  • Helpfulness: As humans, Evans said we naturally want to be helpful. 

What You Can Do 

To protect yourself and your business, Evans said to take a three-step approach: 

  1. Pause: Before taking any action, especially when it involves sensitive information or financial transactions, take a moment to pause and assess the situation. 

  2. Think: Consider the context of the request and reflect on any red flags that might indicate fraudulent activity. 

  3. Verify: Before proceeding, verify the legitimacy of the request. You can do this by contacting the organization directly or checking with a trusted source. 

If you fall for a scam, here are the first steps you should take: 

  1. Notify your bank: Stop the money from leaving the account. 

  2. Contact law enforcement. 

  3. Check and freeze your credit report if your personal information was used. 

  4. Report to federal agencies like the FBI and the FTC so they can compile stats about these scams. 

The main points Evans wanted to make sure the audience took from his presentation were: 

  1. Fraud isn’t just about technology – it’s about people. 

  2. Scammers evolve, so we must stay informed. 

  3. Education and awareness are our best weapons.