In December 2021, the U.S. Federal Trade Commission (FTC) launched a rulemaking with the intention of fighting the threat of impersonation scams. Since the outbreak of the COVID-19 pandemic, impersonators have capitalized on the anxiety around economic changes to goad businesses and individuals into handing over money or valuable personal information. Regulators everywhere are facing new challenges amidst the rise of these campaigns, also known as social engineering attacks.

What is social engineering?

Social engineering attacks, one of the most common forms of cybercrime, pose a unique threat to regulators. They prey on human emotions, taking advantage of trust to gain entry to a private system or otherwise steal private information. Despite its pervasive threat, the technical simplicity of social engineering means that with just a few basic controls, regulators can protect themselves as well as the public they serve.

Social engineering attacks come in many different forms. Phishing scams, for example, involve sending out an email that appears to be from a trustworthy source, like an employer or a retailer, but contains a malicious link that can either install malware or encourage the target of the scam to divulge personal information, like a password or a credit card number.

As one of the most common types of social engineering attacks, phishing scams have steadily gained notoriety over the years and are covered in many cybersecurity training programs. Phishing itself can also take many different shapes. Vishing, or “voice phishing,” involves actual human contact via a phone call, where the target of the scam is manipulated into giving money or valuable information over to the attacker.

Spear phishing involves targeting a specific person or company and usually requires some background research on the part of the attacker. In a similar vein, whaling is a phishing campaign that targets high-level employees. “Smishing” involves the use of SMS text messaging to lure the target into releasing valuable information. With the many forms phishing scams can take, it’s important for regulators to be constantly vigilant of multiple vulnerabilities in their daily work.

A particularly effective and common form of phishing scams involves sending the target a fake notice to appear in court. By impersonating law firms and notifying individuals that they must appear in court, scammers can take advantage of the anxiety presented by fallacious legal trouble and draw  recipients into clicking links to “court notices” that actually install malware. A similar scam involves impersonating the IRS and preying on the anticipation of a tax refund to encourage users to download ransomware.

How can regulators avoid social engineering attacks?

One of the fundamental measures a regulator can take to avoid the consequences of social engineering scams is training employees thoroughly on the many forms these campaigns can take. Teaching staff how to look for the signs of these attacks, particularly with regards to emails received at work, can prevent an organization from falling prey to them. This can be accompanied by the occasional use of fake phishing emails to test awareness throughout an organization.

Though training and education are paramount in avoiding impersonation scams, there are also automated solutions that can help an organization stay safe. The use of anti-phishing software, for example, can flag suspicious emails and alert staff of the attempted attack. Combined with thorough firewalls on an organization’s networks, this technical solution helps but cannot replace basic training on social engineering.

What does the future hold?

If the recent rulemaking by the FTC is any indication, regulators will be taking arms against social engineering scams for years to come. One of the proposed rules in the FTC’s announcement calls for restitution for businesses and individuals who fall victim to impersonation scams. While financial relief can mitigate the costs of an attack after it has already occurred, it still does not attack cybercrime at its roots.

After experiencing a sharp spike in loan fee fraud-related complaints, the U.K. government’s Financial Conduct Authority (FCA) partnered with behavioral scientists and music producers to create an “anti-fraud jingle” in December 2021. The song attempts to inform the public of the risks of loan fee fraud, which targets people searching for loans online, in a catchy and shareable way. This light-hearted push to spread awareness serves as an example of small measures regulators can take to help citizens protect themselves.

As the pandemic continues to develop, and as information technology integrates even more thoroughly into daily business practices around the world, social engineering attacks will continue to plague organizations everywhere. But by taking a few basic measures like offering training and utilizing protective software, regulators can work to ensure their agencies and constituents alike are a little bit safer from one of cybercrime’s most common and sinister forms.