Social Engineering

Nowadays, the level of reliability of technology has grown so much that a person – a cardholder has become the weakest link in the security system. If in the past fraudsters attacked technology by trying to hack systems and devices, today they had to learn how to "hack" people to achieve results. This approach is called "social engineering".

According to experts, the most popular ways of the use of social engineering are to bilk customers out of their bank account/card details.

Often fraudsters find out the data they need by presenting themselves as bank employees or simply taking advantage of the low financial literacy and gullibility of customers. For example, they may send an SMS message informing them that their card has been allegedly blocked and requiring them to call a specified number: 'Your card has been blocked, call xxx-xx-xx for details".

A manifestation of social engineering is a call to a customer from "bank security officers" ostensibly to cancel suspicious debits that are now mistakenly made to the customer's account. In the course of a telephone conversation, the fraudsters try to either force the customer to provide information about passport data and payment details or force the customer to make money transfers to malefactors. In this case, malefactors trick customers into giving them one-time passwords from SMS and account/card details.

Fraudsters can also look for customers who have posted advertisements for sale on OLX and other public message boards. Then they pretend to be buyers and lure bank account/card details and one-time transaction confirmation codes from incoming SMS to the customer, allegedly to transfer payment for the goods being sold.

Or, on the contrary, fraudsters pretend to be sellers of some goods or services, attracting the victim with a low price. They may send links to fake courier services websites, ostensibly to pay for the delivery of goods. In reality, if the payment details are entered through such a link, the fraudsters can access the account and empty it.

In this regard, it is important to understand that any publicly available information that appears on social networks (VKontakte, Instagram, Facebook, and so on) can help criminals understand where you are or learn some personal information. Even the wish lists on major online stores like Wildberries, Aliexpress, and the like can be a great help when using carefully selected tricks from the arsenal of social engineers.

Even the most modern and high-tech banking security systems will not save the customer if he/she gives out personal data or transfers money to fraudsters himself/themselves. Law enforcement agencies are also powerless in such situations. Sometimes it doesn't hurt to be a little more distrustful, a little more vigilant. There is nothing wrong with being skeptical.

So, if you get a call from a "bank employee", what should alert you and what you should pay attention to:

  1. A vague name, something like "State Banking Association Security Service" or "Transfers Inspection Security Department". As a rule, fraudsters do not know which bank customer you are, hence they use the incomprehensible jumble of names with embedded words "security", "bank", "transfers" and the like. A real bank employee will say the full name of the bank right after his/her name.

  2. An attempt to "verify" confidential data: card number, expiration date, CVV2 code (three digits on the back of the card), account number, passport data, IIN, and the like. A real bank employee will never ask a customer to provide such data over the phone. In some cases, bank employees could really call to confirm suspicious transactions on your card, but in this case, the employee will tell you the time of transaction and the name of the merchant where this transaction was carried out, you will only have to confirm or deny this transaction. Even if you do not confirm the transaction, you will be asked to come to the bank and write an application. You will not be asked for your identity or bank card numbers.

  3. An attempt to force the subscriber to give a "code from a text message" or install an unfamiliar application on the smartphone. The bank's specialists will never ask the customer to install a remote management tool on the device. After all, they already have all the necessary resources and tools to block unauthorized access.

  4. An attempt to force a subscriber to go to a link sent to him/her where it is necessary to enter the card's payment data (card number, expiration date, CVV2). Under no circumstances enter these data into the forms that open on the links sent to you by strangers, even if they present themselves as security officers of various organizations.


If you have the slightest doubt that you are communicating with a bank employee, simply cut off the call and call back to the number specified on the back of your card.