Many fintech companies focus on protecting their data and customers from technical vulnerabilities in systems and networks. Unfortunately, they often overlook that their greatest vulnerabilities can also come from within.

These insider threats can be malicious and intentional by an employee. More often, however, they are unintentional mistakes, with social engineering being a common factor. According to Verizon's 2024 Data Breach Investigations Report, 68% of breaches involved a human element, like a person falling victim to a social engineering attack or making an error. Of the social engineering attacks, 95% were financially motivated. 

Everyone in your organization is at risk of falling for social engineering tricks. Even the most technologically savvy individuals such as engineers and security personnel can slip up, often due to being busy, stressed, tired, or simply forgetting to pause and ask questions. Fortunately, you can supplement human screening with automated approaches — such as, for example, identifying previously unseen devices and treating them with increased scrutiny — to reduce the likelihood of these attacks successfully accessing sensitive data and systems.

In this article, we’ll dive deeper into social engineering, including how it happens, common tactics used by threat actors, and ways to prevent it. 

What is social engineering?

Unlike traditional online hacks that target system vulnerabilities, social engineering exploits human psychology. With social engineering, the hacker manipulates targeted individuals into revealing sensitive financial information or authentication credentials, such as credit card numbers, passwords, or other personal information, so they can gain unauthorized access to financial or other internal systems. 

The attacker might pose as a trusted entity like a bank, coworker, or friend. They often use phishing emails, phone calls, or in-person interactions to gain their victims' trust. The stakes are particularly high for financial services (including fintech), where a single compromised account can lead to substantial financial losses and regulatory complications.

How does social engineering work?

Social engineering in fintech follows four sophisticated phases. Because this approach takes time and effort, fraudsters often target specific high-value accounts and financial system administrators. 

Let's explore the four social engineering phases: 

1. Reconnaissance

An attacker conducts a lot of research into the target. In fintech environments, attackers specifically dig up information about employees with access to payment systems, transaction approval workflows, and financial data.

Various social media sites, including LinkedIn, are helpful for attackers to piece together the organization hierarchy and understand which employees might have admin or high-privilege access. Attackers often spend 3-4 weeks studying potential targets before making contact.

2. Engagement

The next step is to contact the targeted victim. Often, the attacker may impersonate a financial regulator, auditor, or internal compliance team member. This is called pretexting, where an attacker poses as a trusted person and invents a compelling story to make their request seem urgent and legitimate. 

The attacker either gains information by phishing for credentials and using those stolen login details to access accounts and devices, or he or she might engage in a conversation with the victim over email, phone call, or text message. If the target identifies the contact message as malicious, it could ruin the attack. The attacker might wait to try again later or choose a new target. According to the Verizon report, phishing and business email compromise (BEC) accounted for 73% of incidents in the social engineering sector.

3. Exploitation

Once the attacker successfully engages with the victim, they can gain unauthorized access to accounts, company information, or even a specific computer. An attacker can:

• Exploit the system (e.g., by moving laterally through the network to access other systems, gaining admin rights, or disabling security controls)
• Exfiltrate data by identifying valuable data, compressing or encrypting it, transferring it through covert channels, and covering tracks by deleting evidence
• Install malware to allow for persistent access, stealing data over time, or encrypting files for ransomware
• Monitor the network (e.g., mapping the network architecture, learning security patterns, or finding new vulnerabilities)

4. Closure

In this crucial phase, the attacker must maintain access long enough to execute their financial fraud while avoiding detection by transaction monitoring systems. Once the attacker has completed the attack, they typically end the conversation casually and naturally, using excuses like needing to attend to something else or having another call. This helps prevent the target from becoming suspicious that they were just defrauded. 

6 common social engineering methods 

Phishing

Phishing involves sending fraudulent emails or text messages that appear to come from legitimate sources. These messages often urge recipients to click on a link under the guise of urgent security concerns or account verification. The victims are then taken to a page that contains phony login or security forms to trick them into divulging sensitive information, such as passwords or personal details. While broader attacks impact many users, attacks that target specific employees, for instance, those with transaction approval authority or access to payment systems, fall under a subset of phishing called spear phishing. 

Vishing (voice phishing)

With vishing, attackers manipulate victims into revealing sensitive information or making unauthorized transactions over the phone by posing as financial regulators, auditors, or even high-priority customers requiring urgent help with a transaction. This technique requires persuasive speech and social cues such as creating fake urgency or acting like the CEO to manipulate the target. Generative AI can make this approach even more convincing because fraudsters can easily use the technology to mimic human voices and emotions.

Pretexting

Pretexting involves posing as someone in authority to engage an individual, sometimes over multiple interactions. Fraudsters may research or steal information about a target to make their scenarios seem factual. For fintech companies, attackers might pose as regulators conducting an emergency audit or as corporate customers facing urgent payment issues. 

Baiting

Baiting exploits an individual's curiosity or greed by offering something enticing in exchange for performing an action that compromises their security. For example, a fraudster might get a target to download malware or reveal login credentials in exchange for rewards or free services. Unlike phishing, baiting leads the target to believe they are receiving something desirable with minimal effort.

Quid pro quo

Quid pro quo offers a benefit in exchange for information or access. Instead of a product, it typically provides a service, such as tech support or a consultation. Attackers might pose as fintech vendors offering free trials of premium services or as market analysts sharing exclusive reports. The target thinks they are getting their problem solved and that it’s legitimate — only to have information stolen.

Tailgating/piggybacking

Unlike digital-focused tactics like phishing, tailgating exploits security lapses in physical environments. Attackers follow an authorized individual into a restricted area or exploit their lack of vigilance to gain physical access to secure systems. This is particularly relevant for fintech companies operating physical trading floors or maintaining cryptocurrency mining operations.

A real-life example of social engineering: The 2023 MGM Resorts breach

In 2023, MGM Resorts International suffered a devastating cyberattack that began with a simple social engineering tactic. A group of attackers used publicly available information about an MGM employee from LinkedIn to impersonate the employee over the phone and convince the IT help desk to reset the account’s password. The breach led to operational disruptions for multiple days, reputational damage, and $13B in financial losses. Slot machines, hotel room digital keys, and everything in between didn’t work, and the company was forced to switch to manual operations. 

The attack highlighted several critical issues:

• The risks of information sharing on professional online networks
• The limitations of traditional security training
• The inadequacy of password-based authentication systems

What made this attack particularly notable was its simplicity in gaining access via vishing. They simply needed enough information to sound convincing on a phone call.

Similarly, Caesars Entertainment was successfully targeted by the same attackers, and the company paid millions of dollars in ransom so they could continue operations as normal. 

These incidents served as a wake-up call for organizations and demonstrated how social engineering can bypass even established security protocols.

Steps to prevent social engineering attacks

The weakest link in your organization is the human element — and often, that’s employees who think they are invulnerable to social engineering and phishing attacks or employees with high-privilege access. 

Attackers typically target people who can access code repositories, administrative controls, trade secrets, databases, and possibly customer data, such as security researchers, network administrators, executives, and other employees. It only takes one employee to fall for an attack for a company to lose large amounts of data, trade secrets, and intellectual property. Companies not only lose money directly, but when their customers’ data is exposed, they can also face lawsuits, lost customers, and a damaged reputation.  

The best way to prevent social engineering attacks is to approach them from both a technical and human perspective.

Here are some effective social engineering prevention measures:

Educate your team

Conduct regular training to reinforce that your team should be wary when they receive requests for information or are directed to click on links from unknown sources. Training is often forgotten or ignored, and, typically, it’s only after an attempted attack that training is taken seriously. Consider simulated phishing scenarios to give employees hands-on experience identifying and responding to such attacks.

Understand social media privacy features

Any information publicly posted on social media can be used to gather intelligence on your employees, their jobs, and their authorizations, making them a target for social engineering. LinkedIn is one of the best ways to perform reconnaissance on job titles and function, management, and any executives overseeing infrastructure. Encourage your employees to review their social media profile’s privacy and security features to customize visibility based on their preferences.

Require multi-factor authentication

Multi-factor authentication (MFA) requires users to provide two or more different forms of verification to access an account or system, such as biometric identification, SMS codes, or security questions. Fintech companies should encourage users to enable MFA and enforce its use for high-risk transactions.

Include warnings in user communications

Communicate with customers that you will notify them of any changes to their account, such as when a login is attempted from a new device. When you send messages with one-time passcodes (OTPs) for multi-factor authentication, instruct users not to share the codes. Remind users to only share sensitive information after verifying the authenticity of personal or protected data requests.

Detect unrecognized devices

If a fraudster obtains a user's login details through social engineering, they will likely access the account from a different device. Device history analysis can flag login attempts from devices users haven't used before, indicating a potential security breach. Actions performed from an unrecognized device should trigger additional authentication steps, such as sending an OTP.

Preventing successful social engineering attacks with device intelligence

Accurately identifying devices is an important step in preventing social engineering. Fingerprint's device intelligence platform combines over 100 network, device, and behavioral signals to create a unique visitor identifier for every device that visits a site or app.

Additionally, Fingerprint Smart Signals provide actionable insights into your visitors by detecting  tampered devices, rooted or jailbroken devices, bots, and more. Together, these signals and visitor IDs provide the data fintech risk and fraud teams need to make better-informed decisions about fraud, faster. 

How to prevent a social engineering attack with Fingerprint

Protecting against social engineering is easy with Fingerprint device intelligence. Our highly accurate and stable visitor identifiers, combined with Smart Signals, give you an advantage over these fraudsters and help to protect your users.

Fingerprint visitor identifiers stay consistent even if users clear cookies, browse in incognito mode, or use a VPN, making it simple to recognize returning visitors or spot new devices that have never accessed your site or a specific account before. This stability allows you to defend against attackers without disrupting the user experience of legitimate users who you recognize.

On top of that, you can use our 20+ signals to detect risky behavior and visitor characteristics. For instance, if Fingerprint detects bot activity during a login attempt, you can block the login outright — even if the credentials are correct — like in a credential stuffing attack. Other signals can help you spot warning signs like tampered browsers, emulators, remote control tools, or developer tools being open, allowing you to investigate or apply extra security checks when needed.

To get started, all you’ll need are your Fingerprint API keys (sign up for a free trial!) and some simple logic to stop social engineering threats. Then, you can install the Fingerprint client agent to make an identification request and get the full details for the visitor, like their unique visitor ID and identified Smart Signals. You can use this data to strengthen your platform in various ways — for example, store visitor IDs with account information and check if a device has accessed the account before. If it’s a new device, you can add an extra layer of security by requesting additional authentication:

const db = require("./database");

// Check if the device is recognized for this account
async function checkAccountDevices(accountId, visitorId) {
  let query = `SELECT * FROM account_devices WHERE account_id = $1 AND visitor_id = $2`;
  let result = await db.query(query, [accountId, visitorId]);

  if (result.rows.length == 0) {
    // This device has never been used with this account before.
    recordDeviceAttempt(accountId, visitorId);
    return requestAdditionalAuthentication();
  } else {
    return allowLogin();
  }
}

Assess risk with device attributes

You can identify fraudulent activity patterns by analyzing each visitor's unique device attributes with Smart Signals. For instance, visitors' use of virtual machines or Android emulators can raise red flags about potential malicious intent. Businesses can detect attempts to bypass standard security protocols by identifying tampered devices. Device takeover attacks like tech support scams may use remote tools or have developer tools open which can also be detected with Fingerprint. You can mitigate social engineering risks by integrating these signals into your risk assessment models.

For example, if the device shows signs of tampering, reject the request:

// Check for suspicious forms of device tampering.
function checkDeviceTampering(fingerprintEvent) {
  const visitorId = fingerprintEvent.products.identification.data.visitorId;

  if (fingerprintEvent.products.emulator.data.result == true) {
    flagSuspiciousActivity(visitorId);
    return failLoginAttempt();
  }

  if (fingerprintEvent.products.clonedApp.data.result == true) {
    flagSuspiciousActivity(visitorId);
    return failLoginAttempt();
  }

  if (fingerprintEvent.products.frida.data.result == true) {
    flagSuspiciousActivity(visitorId);
    return failLoginAttempt();
  }

  return allowLogin();
}

Spot unusual behaviors

Understanding a user's typical patterns can help fintech companies identify unusual behavior resulting from social engineering. Deviations from consistent usage patterns, such as account activity or access points, ought to raise suspicion of potential fraud. In particular, sudden log-ins at odd hours or from different cities might indicate compromised credentials. 

For example, check if a new transaction falls outside the user's average range. If so, ask for additional information to authorize the transaction:

const db = require("./database");

// Check if a transaction is within the user's average range.
async function assessTransactionRisk(userId, currentTransactionAmount) {
  let query = `SELECT AVG(transaction_amount) AS avg_transaction_amount
    FROM user_transactions
    WHERE user_id = $1`;
  let result = await db.query(query, [userId]);
  let { avg_transaction_amount } = result.rows[0] || {};

  // If no transaction data is found, assume low risk and process the transaction.
  if (!avg_transaction_amount) {
    return processTransaction(currentTransactionAmount);
  }

  if (
    currentTransactionAmount > avg_transaction_amount * 1.5 ||
    currentTransactionAmount < avg_transaction_amount * 0.5
  ) {
    // The transaction amount deviates from the average.
    flagSuspiciousActivity(userId);
    return requestAdditionalAuthentication();
  } else {
    return processTransaction(currentTransactionAmount);
  }
}

Blocking past fraudsters

Businesses can use known blocklists of previous fraudsters to prevent them from creating new accounts or gaining access to existing ones. In addition to external lists, fintech companies should track their known fraudsters based on past fraudulent activity on their site. These lists help identify and stop social engineering attempts by individuals who have previously targeted the company or its users.

Use Fingerprint’s unique visitor identifiers and store past suspicious activity to check against in the future:

const db = require("./database");

// Check if the device has a history of suspicious activity
async function checkDeviceHistory(visitorId) {
  let query = `SELECT * FROM flagged_devices WHERE visitor_id = $1`;
  let result = await db.query(query, [visitorId]);

  if (result.rows.length > 0) {
    // The device has previously been used for fraudulent behavior.
    flagSuspiciousActivity(visitorId);
    return failLoginAttempt();
  } else {
    return allowLogin();
  }
}

Organizations say their employees are their greatest asset. They can also be the weakest link when it comes to social engineering, but they don’t have to be. Implementing additional layers of defense such as Fingerprint device intelligence can go a long way in reducing the chances that a weak moment creates a huge headache. 

Check out our self-guided demo to see how Fingerprint works or reach out to us to learn more.