AML CHALLENGES
ndering?
oney lau
Social m
S
ocial engineering. The term has
several meanings, but in the context
of the financial service industry its
meaning is clear: Social engineering is the
manipulation of one individual by another
— to obtain something to their advantage.
Simply put, they’re either trying to play on
your sympathy or just plain fool you.
Wit h t he advent of t he new
Identity Theft Red Flags and Address
Discrepancies regulation — effective
November 1, 2008, social engineering has
come to the forefront as one of the perceived threats associated with stealing
personal financial information.
Inherent obstacles
Social engineering has been around
since the dawn of time and has been practiced by everybody at one time or another.
Most people, however, don’t employ it for
criminal activity, but rather for some sort
of emotional satisfaction or legal economic
gain. In other words, they want to get their
own way.
Training your employees to resist and
recognize social engineering can be a
nearly impossible task, since in many
instances they won’t even see it as social
engineering, but rather as, “customer service.” Policies and procedures designed
to prevent an employee from rendering a
potentially damaging decision is the exact
thing the social engineer is trying to convince the employee to circumvent.
Social engineering can be successful
for a variety of reasons. Some companies
empower employees to make decisions and
exceptions on their own. Some employees lack a complete understanding of the
company policy — or don’t even know
there is one. A disgruntled or recalcitrant
employee can be a social engineer’s best
friend. Personnel who believe the company
policy to be foolish aren’t helpful, either.
Throw in young, inexperienced workers,
indoctrinated in today’s customer-friendly
culture, and you have a recipe for disaster.
The biggest problem with social engineering is that the employee is usually
one-on-one with the person attempting
to dupe them. The perpetrator’s goal is
to obtain information or an immediate
benefit— or find a potential weakness
to exploit at a later date. They want to
accomplish this as fast and as indiscriminately as possible. Time is neither an ally
of the social engineer nor of the financial
institution. Back office reports may only
reflect the policy violation after it’s too
late, if they pick it up at all.
Recently, I found myself in a situation
with two large banks, both of which will
obviously remain nameless, wherein
incidents occurred that clearly crystallized what social engineering is all
A disgruntled or recalcitrant
employee can be a social
engineer’s best friend
12 acams today
|
November / December 2008
about-and the blurred lines an employee
can face.
The gambit
In need of some foreign currency for a
trip overseas, I went to bank A to order it.
The amount needed was only several hundred dollars, basically what certainly can
be classified as a non-threatening amount.
I drew the branch manager for the transaction simply because he was available, not
because bank A restricted those particular
transactions to him.
After looking up the exchange rate and
determining the amount with the bank’s
processing fee, I began to hand him cash.
He seemed caught off guard. He quickly
asked me if I was a customer, which I was,
but I did not have the kind of account — a
checking or savings account to be precise
— that bank A requires to complete the
transaction. The bank I have my checking
account with does not provide foreign cash
services, which brought me to bank A to
begin with.
I could see that this was now evolving
into a real hassle. Despite a mild protest,
the branch manager wouldn’t budge, and I
could sense he was not about to succumb
to any social engineering I was pondering.
A skilled social engineer is always interpreting tone of voice and body language,
knowing when to back off and when to persist. In fact, the branch manager began to
politely explain the reason for the policy,
which, of course, was to create a paper trail
of the transaction for among other things,
anti-money laundering (AML) purposes.
I was tempted to let him know what I
do and offer him some alternatives, such
as following the bank’s AML procedures
for savings bond redemptions to noncustomers (the social engineering gambit
that jumped into my head), but I could
see his mind was made up. I got the feeling he would have just said, “Well, then
you should understand, sir.” So I played
the role of John Q. Public, thanked him
and left.
The following day, I went to bank B
to try again. When I asked a teller about
www.ACAMS.org