Social Engineering Fraud
1. What is Social Engineering Fraud?
Social engineering fraud involves manipulating individuals into divulging confidential or personal information that can be used for fraudulent purposes. Unlike technical hacking, social engineering exploits human psychology—trust, fear, greed, urgency, or curiosity—to trick victims.
2. Common Techniques in Social Engineering
Phishing: Sending fake emails or messages pretending to be from legitimate sources to steal information.
Pretexting: Creating a fabricated scenario to obtain private data.
Baiting: Offering something enticing (like free software) to lure victims into giving information.
Vishing: Voice phishing via phone calls pretending to be officials.
Tailgating: Following someone into a secure location physically.
3. Why is Social Engineering Effective?
Because it targets the human element, often the weakest link in security systems. Even with the best technical safeguards, a successful social engineering attack can bypass them.
4. Legal Framework
In India:
Information Technology Act, 2000 (especially sections related to cheating, identity theft, and data theft)
Indian Penal Code provisions on cheating (Section 420), criminal breach of trust (Section 405), and forgery (Section 463)
Detailed Case Laws & Examples of Social Engineering Fraud
Case 1: The Mumbai Bank Employee Phishing Scam (2018)
Facts:
An employee working in a Mumbai bank was targeted by fraudsters posing as bank IT support staff. Using pretexting, they convinced the employee to share login credentials and OTPs. The attackers then siphoned off ₹20 lakhs from various customer accounts.
Legal Outcome:
The investigation led to the arrest of a group running the phishing operation. The bank employee was exonerated after proving he was tricked. The court emphasized that the culprits exploited human vulnerability through social engineering and sentenced them under IT Act and IPC fraud sections.
Significance:
This case illustrates how internal employees can become targets via social engineering, highlighting the need for awareness and training.
Case 2: Delhi Corporate CEO Vishing Scam (2020)
Facts:
A CEO of a Delhi-based company received a phone call from someone impersonating a tax official. The caller threatened legal action unless a ‘penalty fee’ was paid immediately. Fearing consequences, the CEO transferred ₹50 lakhs to the fraudsters’ bank account.
Legal Outcome:
Upon complaint, cybercrime police traced the call to a gang specialized in vishing. The gang was apprehended and charged with cheating and criminal intimidation. The court noted the use of fear and urgency as classic social engineering tactics.
Significance:
Demonstrates the use of voice-based social engineering to exploit authority and fear.
Case 3: Hyderabad Social Media Romance Scam (2019)
Facts:
A woman in Hyderabad was lured into an online relationship by a fraudster who gradually gained her trust. He then fabricated an emergency and requested money transfers totaling ₹30 lakhs.
Legal Outcome:
The accused was booked for cheating under IPC and IT Act. The victim’s testimony described the emotional manipulation and gradual grooming involved—a classic romance social engineering fraud.
Significance:
Shows how social engineering exploits emotional vulnerabilities beyond just technical means.
Case 4: Bangalore IT Professional Business Email Compromise (BEC) (2021)
Facts:
A Bangalore-based IT company was defrauded ₹1.2 crores when fraudsters gained access to the company CFO’s email through phishing. They then impersonated the CFO to instruct finance staff to transfer large sums to fake vendor accounts.
Legal Outcome:
Cybercrime units arrested the suspects after tracing the IP addresses. The company pursued civil and criminal remedies. The case involved business email compromise, a sophisticated form of social engineering.
Significance:
Illustrates how social engineering targets corporate communication systems for high-value fraud.
Case 5: Kolkata ATM Card Skimming and Social Engineering (2017)
Facts:
A gang placed skimming devices on ATMs in Kolkata to steal card data. They then called cardholders pretending to be bank representatives and obtained OTPs and PINs using pretexting.
Legal Outcome:
Multiple arrests were made after victims reported unauthorized transactions. The court convicted the gang under multiple IPC sections and IT Act provisions, highlighting the combination of physical and social engineering tactics.
Significance:
This case shows how attackers combine technology and social manipulation for complex fraud.
Case 6: Chennai Ransomware and Social Engineering Attack (2022)
Facts:
A Chennai hospital’s computer systems were locked by ransomware after an employee was tricked into clicking a malicious link in a phishing email. The attackers demanded ransom worth ₹5 crores in cryptocurrency.
Legal Outcome:
The hospital paid partial ransom, but police investigations helped track down the attackers internationally. Indian courts used this case to stress the importance of employee training against social engineering.
Significance:
Highlights how social engineering is often the entry point for ransomware attacks.
Summary of Key Points
Social engineering attacks exploit trust, fear, and emotions to bypass security.
Techniques range from phishing and vishing to pretexting and baiting.
Social engineering fraud can target individuals, employees, CEOs, and entire corporations.
Courts often treat such cases seriously because they cause large financial losses and breach trust.
Training, awareness, and verification protocols are critical defenses.
Legal provisions under IPC and IT Act cover most social engineering frauds.
RELATED Blog
0 comments