Unmasking the new face of financial crime

The greatest threat to our online security, be it digital fraud, human trafficking or otherwise, is the failure of human defence systems. Does technology make our lives easier? Absolutely, yes. But will it alter the mindset of an employee that may be misguided to trust a deepfake of their boss or click a spam link (imitating a legitimate hyperlink)?

One misstep opens the flood gates and allows nefarious actors to access sensitive, business-critical information for their own personal gain. Social engineering attacks are surging as a result, while also growing in sophistication and scale. And these attacks are becoming harder to detect as they exploit human psychology, not technical vulnerabilities; over a third (36%) of incidents between May 2024 and May 2025 occurred due to social engineering.

To mitigate these threats, a multi-layered approach that combines robust technology, continuous employee education, upskilling workforces, and strong identity verification is crucial.

So, what is social engineering?

At its core, social engineering is the art of manipulation. It exploits people into divulging confidential information or performing actions that benefit the attacker. Psychological principles like trust, fear, urgency, and curiosity are all fundamental to an attack of this kind to work. Moreover, it’s quite different from traditional fraud tactics that target machines as social engineering tries to manipulate people to ‘open the door from the inside’.

In 2020, X (then Twitter) was hacked using social engineering methods to compromise high-profile accounts, such as those of companies including Apple and high-profile people including Elon Musk, and Barack Obama. The attackers posed as IT support and targeted X employees that could bypass internal firewalls. They created a fake website mimicking X’s internal VPN login page and directed employees to input their credentials on a phishing site.

The breach affected at least 130 accounts, resulted in accessing direct messages of up to 36 accounts and downloaded data from eight others. Attackers used these accounts to post messages promoting a Bitcoin scam, collecting over $100,000 in cryptocurrency. This incident highlights that the most seemingly secure organisations including banks and even former US Presidents, are vulnerable to social engineering attacks.

Fool me once, shame on you…

Whilst social engineering attack methods are varied, they all have one goal: to bet on human trust to gain access. The risks of these attacks are significant, ranging from business email compromise (BEC), where threat actors impersonate executives or trusted partners to trick employees into making fraudulent payments or divulging sensitive data, to vishing (voice phishing), where threat actors exploit voice communication to trick victims in a sophisticated, natural way.

These attacks can also be highly personal via day-to-day platforms like WhatsApp - a threat actor recently created a fake WhatsApp account to impersonate me in an attempt to trick Fourthline employee. This attack, fortunately, was unsuccessful, but it shows that these threats can happen to anyone, at any time.

And threats continue to escalate with SIM cloning. This is where threat actors transfer a victim’s phone number to their SIM card, which allows them to intercept one-time passcodes sent via SMS, giving them the final key needed to bypass multi-factor authentication and access sensitive financial or personal information.

Even entertainment behemoth MGM Resorts was subject to a coordinated attack, leading to long-term operational disruption and financial damage. But all of these attacks go well beyond financial loss. They inflict significant and lasting reputational damage on organisations of all shapes and sizes. And when these attacks occur with third-party providers, the attacks exploit vulnerabilities with third-party partners in the supply chain.

From human error to a human shield

As social engineering attacks rely on human failure, it is essential that financial services organisations have a holistic and multi-layered approach in place that integrates people, processes, and technology.

Firstly, employee education is of utmost importance. A bank’s workforce is the first line of defence, and this requires a culture of ongoing training and education. This learning should include regular phishing simulation, upskilling that factors in how technology like AI is ripping up the rule book and clear protocols for reporting suspicious activity.

Alongside this, robust identity verification (like know your customer (KYC) and anti-money laundering (AML) measures must be in place. This means implementing strong, multi-factor identity verification processes at onboarding and during critical banking transactions. In addition, technological defences use advanced security solutions like email filters, anti-phishing tools, and behavioural analytics.

By investing in a multi-layered approach, one that prioritises strong identity verification, continuous education and advanced security measures, banks can significantly reduce their vulnerability to social engineering attacks.

The building blocks to success

In the face of these sophisticated attack methods, financial services organisations’ defence mechanisms must be adaptive and resilient, like the people they are protecting.

Social engineering is a persistent and evolving threat which demands new and proactive protection strategies. Finding the perfect matrimony between technological defences and human resilience isn’t just an option, it’s fundamental in a world that is increasingly being lived online.