Using deceptive practices to strike the weakest point of your operations—you and your team—attackers gain unauthorized access to sensitive financial data.

Social engineering is a manipulation technique attackers use to exploit human psychology and trust. It differs from traditional hacking methods by bypassing technical barriers.

It poses substantial risks for private lenders, including unauthorized access to customer data , fraudulent transactions (e.g., scammers posing as borrowers or investors), reputational damage due to security breaches, and regulatory and legal consequences for mishandling sensitive financial information.

Common Social Engineering Tactics

Fraudsters use various methods to manipulate employees into disclosing sensitive information or executing unauthorized transactions.

In phishing schemes, attackers send fraudulent emails disguised as legitimate entities (e.g., a borrower, lender, or internal employee) to obtain login credentials or financial data.

For instance, an employee may receive a text message purportedly from a “trusted financial institution,” stating, “Urgent! Your loan application has been processed. Please click this link to confirm your bank details and finalize your approval” followed by a malicious link. The employee, trusting the source, clicks the link, which leads to a phishing website designed to steal their login credentials for internal systems.

Vishing (voice phishing) is similar to phishing, except scammers make phone calls, pretending to be clients, executives, or bank representatives, tricking employees into providing sensitive details.

Smishing (SMS phishing) involves attackers sending fraudulent messages via SMS, disguised as legitimate entities, to deceive employees into disclosing information.

A borrower might receive a smishing message congratulating them on loan approval. The message instructs them to reply with their Social Security number and date of birth to confirm their details and set up payment. The borrower succumbs to the ploy and provides sensitive information, which is subsequently used for fraudulent activities.

Pretexting is a tactic attackers use to establish trust. They fabricate scenarios, perhaps posing as IT support personnel, to request login credentials. A fraudster may contact a private lending company employee, impersonating a third-party verification service for an investor. They request verification of a borrower’s details prior to approving a loan, even though such verification is unnecessary. The employee, believing the request is legitimate, provides sensitive borrower information.

Fraudsters employ baiting tactics to entice employees into downloading malware disguised as legitimate software, USB drives, or fraudulent loan documents. An employee may receive an email with a subject line such as “Urgent: Loan Documents for Review” and containing an attachment with a malicious link dis-guised as a document. When the employee opens the attachment, malware is installed on the employee’s system, granting the attacker unauthorized access to sensitive data, including borrower applications.

Impersonation involves criminals physically or digitally impersonating customers, executives, or regulatory officials to deceive employees into compromising security. For instance, a fraudster may impersonate a borrower requesting a change of bank account details for loan disbursement. Using stolen personal information, they persuade the employee to update the payment details without proper verification, resulting in the funds being transferred to the attacker’s account rather than the borrower’s.

Another instance of impersonation involves a fraudster impersonating a company executive via email, urgently requesting the transfer of a substantial sum of money for a business transaction. The email is meticulously crafted to appear as if it does originate from the CEO. The employee, without verifying the request, authorizes the wire transfer. Similarly, attackers may claim to be from the company’s IT depart-ment and request log in credentials to “fix an issue” or implement a “security update.”

In private lending, fraudsters may impersonate third-party service providers (e.g., law firms, title companies, appraisal services) to request wire transfers or sensitive documents.

Impersonation has many variants, all involving fraudsters who exploit trust, urgency, fear, or authority, to manipulate employees into disclosing sensitive information. In a private lending environment, they employ various tactics:

Tailgating and piggybacking are unauthorized access methods individuals employ to enter restricted office areas. For instance, an attacker may arrive at the company’s office and wait outside the secured entrance. They follow an employee into the building, claiming to have forgotten their access card and needing to meet with the loan processing team. The employee allows them into a restricted area containing sensitive financial documents and data.

Another example involves an attacker dressing as an office technician and following a colleague into a secure section of the building. Once inside, they attempt to access loan files or financial records that are left unattended.

Detecting suspicious activity

Remember, we’re all prone to falling for scam tactics, especially if they target our emotions. Your first line of defense is to learn how to spot red flags.

Suspicious Sender Address. Verify the email address’s authenticity. Alterations or discrepancies from the sender’s usual domain should raise suspicion.

Urgent or Unusual Requests. Be cautious of emails that pressure you to act promptly (e.g., “Send this wire transfer immediately, or we’ll lose the deal!”).

Generic or Unusual Greetings. Phishing emails frequently employ generic greetings like “Dear Customer” or “Dear Valued Employee” instead of your name. They may also incorporate unusual phrases or language. If a colleague’s greeting deviates from their customary style, it could be a potential indicator of a phishing attempt.

Unexpected Attachments or Links. Attachments may be labeled vaguely (e.g., invoice.pdf or urgent.docx) and lack relevance to your work. Links may also not correspond to the actual URL. Hover over links to see if they redirect to a different domain.

Poor Grammar or Formatting Errors. Legitimate lenders, investors, and executives typically maintain a professional tone. Phishing emails often contain poor grammar and formatting errors.

Mismatched Contact Information. The sender’s phone number or signature may not correspond to company records, or the reply-to address may differ from the sender’s displayed email address.

Requests to Bypass Security Protocols. Emails may instruct you to disable multifactor authentication (MFA), override internal controls, or modify bank details without proper verification.

Refusal to provide verification. They avoid answering identity verification questions or claim they “don’t have time” for security steps.

Unmonitored Devices. Be aware of individuals who insist on using unmonitored devices without proper authorization.

Protecting Against Attacks

Verification can protect you from most attacks. To ensure the identity of a borrower, investor, or third party before sharing information, follow these best practices:

Use Multistep Authentication. Add an extra layer of security by requiring multiple forms of verification (e.g., a code sent to a registered phone number or a password entered through a secure portal).

Verify Details Known Only to the Genuine Borrower or Investor. Ask for details such as their loan number or application ID, the last four digits of their Social Security number (SSN) or tax identification number (TIN), their registered email address or phone number, and recent transaction details.

Verify Phone Calls. Don’t rely solely on caller ID. Scammers can spoof numbers. Hang up and call back using an official number from company records.

Verify Emails. Check for misspelled domains or unusual formatting (e.g.,@privatelend1ng.com instead of @privatelending.com). Avoid clicking links or opening attachments without verifying the sender’s email address.

Use Secure Communication Channels. Never share sensitive data over unsecured emails, texts, or phone calls without proper verification. Instead, direct clients to log into their secure online portal to access documents or make changes.

Confirm Requests via a Separate Channel. If an investor, borrower, or partner requests sensitive information or a transaction change, verify their request using an independent contact method (e.g., calling a known number instead of the one provided in the request). Cross-check the request with internal records or a second employee.

Follow Security Protocols

If someone pressures you to share confidential data, follow a structured response to prevent a potential security breach. In addition to resisting the urge to act quickly and verifying the person’s identity using a separate channel, check company records to confirm the validity of the request.

Refer to your company’s security guidelines on handling requests for sensitive data. If you’re unsure, escalate the request to a manager, IT, or security team for verification. Do not make exceptions to standard security procedures, even if the request appears legitimate.

Do not share credentials or bypass security steps. Fraudsters may attempt to obtain passwords or other authentication information. Always maintain multifactor authentication (MFA) and adhere to company-provided security measures. Never share your password, PIN, or other sensitive access information with anyone, even if they claim to be from IT or a higher-up.

Report any suspicious requests to your supervisor, security, or IT team immediately. Document the incident and provide details such as the phone number, email address, and content of the request. If the request was made via email or phone, flag it for investigation and possible follow up with law enforcement.

Trust your instincts if something doesn’t feel right. It’s better to be cautious than to risk compromising sensitive information.

Information Security Guidelines

In a private lending company, employees must be extremely cautious when sharing information. Fraudsters often pose as borrowers, investors, or colleagues to extract sensitive data.

Information you can share, with proper verification:

 Non-sensitive, publicly available information, when necessary

General company details (e.g., office hours, publicly available services)

Basic loan application process information (but never personal borrower details)

Investor relations contact information (if publicly listed)

Company policies (if they are not internal or proprietary)

Information you should never share without verification:

Personal borrower information (e.g., SSN, credit reports, loan balances, payment history)

Bank account details (yours or a client’s)

Wire transfer or payment instructions (always verify requests independently)

Login credentials or authentication codes (even IT should never ask for this)

Internal financial documents (e.g., loan agreements, underwriting reports, investor agreements)

Employee details (e.g., direct phone numbers, home addresses, personal emails)

Access Control and Data Protection Guidelines

The following are some of the best practices to ensure data protection:

Use strong, unique passwords. Create strong, complex passwords that are at least 12-16 characters long and include a mix of uppercase, lowercase letters, numbers, and special characters. Avoid using common phrases or personal information that can be easily guessed. Never reuse passwords across different accounts or services, especially between personal and work-related accounts.

Enable multifactor authentication (MFA) on all work-related accounts, including email, loan management systems, and other internal platforms. MFA adds an additional layer of protection by requiring a second form of verification, such as a one-time passcode sent via text or an authentication app, in addition to your password. Consider using an authentication app like Google Authenticator or Authy instead of SMS for enhanced security.

Avoid sharing your credentials with anyone, including colleagues, IT support, or supervisors.

Safely handling loan applications and borrower details is paramount to maintaining client trust and adhering to privacy laws.

Here are some measures to protect sensitive information:

Use secure systems for storing and transmitting data. Ensure that loan applications and borrower information are stored in encrypted systems that conform to industry standards (e.g., PCI DSS, GDPR).

Do not store sensitive information on unprotected devices like personal computers, USB drives, or emails. Instead, use secure file-sharing platforms like encrypted cloud storage or company-approved apps when transmitting documents or data.

Implement role-based access controls (RBAC) to restrict access to specific borrower details or loan applications to authorized employees only. Regularly review and update access permissions to ensure that only those who need access to sensitive data have it.

Enable multifactor authentication (MFA) on any system or application that houses loan or borrower information to add an extra layer of security. MFA should be mandatory for accessing sensitive documents or performing actions like approving loans or transferring funds.

Avoid sharing sensitive borrower details via unencrypted email or using unsecured communication channels like text messages or social media. Never discuss borrower details over the phone unless it’s done in a secure, verified manner.

When dealing with paper documents containing personal borrower data, shred them or securely delete them when no longer needed. If you must store paper documents, ensure they are locked in a secure area with restricted access.

Be cautious of third-party access to borrower data, especially if third-party vendors or service providers are involved (e.g., appraisers, title companies). Verify they have the necessary security measures in place and sign data protection agreements. Periodically audit third-party access to ensure compliance with your company’s security protocols.

Stay updated with the latest data protection regulations, such as the Gramm-Leach-Bliley Act for financial institutions, and ensure your company complies with them. Regularly review and update your security policies to maintain the highest level of protection.

Additionally, here are some key best practices for managing financial transactions to prevent fraud:

Verify transaction details thoroughly before processing. Always double-check recipient information, amounts, and payment instructions. Ensure that wire transfer requests and loan disbursements are properly verified through a second communication method (e.g., phone call to the borrower or investor) to confirm the transaction’s legitimacy.

Utilize secure payment systems and financial platforms that comply with industry standards for secure transactions (e.g., ACH, SWIFT). Implement two-factor authentication for online transactions to enhance security.

Establish transaction limits and flags for loan disbursements or payments that require extra verification for larger amounts. Implement automatic fraud detection systems that flag unusual transactions (e.g., out-of-pattern payments or changes to bank details).

For larger payments or wire transfers, require dual approval from two different employees to ensure no single person can authorize high-risk transactions independently. This step serves as a safeguard against internal fraud and mistakes.

Implement robust anti-money laundering (AML) practices to effectively combat money laundering activities.

Conduct regular Know Your Customer (KYC) checks to verify the legitimacy of borrowers and investors. Implement AML monitoring systems to track transactions and flag any suspicious activities that may indicate money laundering or fraud.

Regularly audit all financial transactions to ensure compliance with internal policies and regulatory requirements. Monitor transaction logs closely for any discrepancies or signs of manipulation. Periodically reconcile accounts to detect unauthorized withdrawals, deposits, or transactions.

Provide employees with comprehensive training on fraud prevention, including recognizing fraudulent transactions, suspicious payment requests, and common tactics like social engineering. Emphasize the importance of adhering to standard procedures when processing financial transactions.

Establish clear, written procedures for handling loan applications, disbursements, and other financial transactions to maintain consistency and accountability. Ensure that all employees are well-informed and adhere to these protocols, particularly when verifying payment details and confirming changes.

Monitor for breaches or unauthorized access by implementing real-time monitoring systems that alert security teams if someone attempts unauthorized access or downloads borrower data. Regularly audit and log access to loan application data for any suspicious activities.

Besides verification and using multifactor authentication, here are several additional steps to take.

Stop all communication with the suspected scammer, regardless of the medium. Refrain from responding to emails or phone calls from suspicious sources to prevent further manipulation or fraud.

Report the incident to the appropriate authorities or internal security team.

Change your compromised login credentials (e.g., email, internal systems, or banking accounts.

Be prepared to share any evidence you have of the scam. Document the incident by writing down a detailed account, including any emails, phone numbers, or documents involved. If you received fraudulent emails or attachments, save the originals so your security team can investigate.

Monitor your accounts for unusual transactions or changes to account information.

Contact your bank or payment processor to freeze accounts or take additional security measures.

Cooperate with your IT and security teams to understand how the breach occurred and how to prevent future incidents.

If the incident involves significant fraud, especially with financial transactions or sensitive customer data, report the breach to the appropriate legal authorities or regulatory bodies.

After the incident is resolved, review the company’s security policies to ensure you and your colleagues are updated on best practices for recognizing and responding to social engineering threats. Conduct additional training if necessary.

Incident Reporting Chain Guidelines

Reporting suspicious activity promptly is essential to safeguard the company from security breaches, financial fraud, and reputational damage.

The first point of contact for reporting suspicious activity is your immediate supervisor or manager. They can assess the situation, determine if further action is required, and escalate the issue to the appropriate departments.

If suspicious activity involves compromised systems, phishing attempts, or unauthorized access to company data, report it to your IT or cybersecurity team. They possess the expertise and tools to investigate potential breaches, secure systems, and mitigate risks. Additionally, they should be notified if there are signs of malware, unusual network traffic, or compromised devices.

For incidents related to regulatory violations, fraud, or potential money laundering, notify the compliance or risk management team. They ensure compliance with legal and regulatory protocols and collaborate with external regulators.

If there’s a possibility of legal consequences or if you believe sensitive data has been breached, escalate the issue to the legal department. They handle the legal implications of the breach, including potential lawsuits, data breach notifications, and regulatory penalties.

If you suspect an employee is involved in suspicious activity, involve HR to assist in conducting internal investigations, interviewing employees, and ensuring compliance with company policies.

Many companies provide dedicated reporting channels or systems (e.g., a secure hotline or incident-reporting portal) for individuals who wish to report suspicious activity anonymously.

Remember, it’s essential to report any suspicious activity promptly. Even if you’re uncertain about the appropriate reporting mechanism, it’s better to err on the side of caution.

In private lending, trust is currency—and social engineering attacks aim to exploit it. By fostering a culture of skepticism, implementing layered security measures, and prioritizing continuous training, organizations can protect their assets, clients, and reputation. Remember, verification is your strongest defense.