Social engineering, in simplest terms, is the art of manipulating people and taking advantage of unearned trust in other people. Social engineering is not a new thing either. It’s been around as long as there have been people. You may have heard of one of the most famous social engineers of recent times, they made a movie about him. His name is Frank Abagnale and the movie is Catch Me If You Can. If you’re not familiar, Mr. Abagnale impersonated an airline pilot, a doctor, a lawyer and wrote more than two million dollars in fraudulent checks all before being arrested at age 21! Once released from prison, he was offered a job with the FBI, which he accepted.
So, what does this have to do with cybersecurity then? A lot actually. One thing that social engineering does is adapts quickly to new technology. As soon as something new comes out, there are people out there trying to figure out how to take advantage of it and make it work for their benefit. The boom in information technology of the last several decades has proven to be a breeding ground for social engineering scams. Traditionally, social engineering was normally done face-to-face by skilled con artists. With the introduction of telephones and computers, scams can now be done remotely. You’ve probably experienced one of the most common ones yourself, phishing emails. Phishing is common and prolific for a number of reasons: it’s easy to do, it’s easy to get away with, a phisher can instantly send thousands of phishing emails, and the biggest reason is that it works. There are actually many types of phishing, but phishing isn’t the only type of social engineering either.
Some other common social engineering techniques are pretexting, malware, and tailgating. Pretexting involves impersonating someone and building a credible story which is used to establish trust. This is a tactic that Frank Abagnale used. Malware can use social engineering to trick computer users into performing some act. For example, a fake virus alert that prompts you to pay for removal. Ironically, this will likely install a real virus whether you pay or not. Also, don’t ever pay in a situation like this. Tailgating is attempting to gain physical entry into a secured building. A tailgater might follow a legitimate employee up to their building while carrying a large box and ask to be let in because they can’t reach their access badge. Don’t do this either. Sometimes you have to be the bad guy and say no. There are lots of other social engineering techniques, you can check them out here.
Still not convinced of the dangers of social engineering. Watch this video!
YouTube.com – Hacking challenge at DEFCON
Allow me to share a real-life, personal example. Yes, this happened in 2020… Earlier this year, I had to pick up my daughter from college for Spring Break—the school announced its closure due to the coronavirus four days later. Right around the same time my daughter mentioned that she received an email from a friend about a summer job opportunity. I didn’t really think anything of it other than I was glad she would have something to do over the summer other than be in full-on vacation mode. Details of the job started to come in gradually. She was to be a remote assistant for an advertising executive based out of London. Coincidentally, or maybe not, this person had the same last name as us. Keep in mind that as I describe this it’s easy to spot the red flags because you already know this is a scam but as it unfolded over a two month period it was never immediately apparent, until it was too late. Her “job” involved receiving a list of activities and events for which she was to send reminders in the form of text messages or emails. I remember thinking that was weird but wasn’t cause for alarm. I mean, I just use my calendar to set reminders for myself, but I know not everyone is completely comfortable with or trusting of technology. This went on for a while and, in the meantime, they were trying to work out the details of paying my daughter from the company in England. At first, I thought to myself, “yeah, it’s going to take a bit to work that out.” Then my daughter mentioned it a few weeks later, still an issue. Wait a minute. My wife helped her craft an email help get things sorted out. In response, the “company” asked my daughter to install an app on her phone to receive the payment. I don’t recall the app name, but it wasn’t one I had heard of before. She was unsure and didn’t think she should install it, so she asked me. I said no way! She got back with the “company” and insisted on a paper check, which they did in fact send. So, everything seemed ok then. This next part hurts to write. A few weeks later, she had me take her to the grocery store. She bought two gift cards, at $500 each, which she was to send to two “clients” located here in the States. Hmm, this seemed odd to me. When I asked my daughter about it, she had the whole story that her boss had fed her which seemed sort of legitimate, at the time. A few more weeks go by and I find out that my daughter still wasn’t being paid. Wait, I thought that was all worked out. It turned out that the check she was sent was bad. Oh boy. And then I found out she had used her own personal funds to pay for the $1K in gift cards…… Obviously, that money hadn’t been reimbursed. At this point I sat her down and we went over everything starting back at the beginning. Looking at it collectively, I saw the red flags everywhere. Not surprisingly, the “company” and her “boss” were no longer responsive to emails or texts. She had asked too many questions about being paid, I guess. We called the bank to report it and went to the Sheriff’s office to report it with them too. The investigator we spoke to said that it was one of the most elaborate schemes they had ever seen. To date, the money hasn’t been recovered, nor is it likely that it will be.
What were the red flags that I found?
– The initial email was obviously spoofed and was setup with a different reply to address—a check with her friend confirmed that he didn’t send it
– The advertising executive never wrote from a corporate email, he always used a Gmail address
– Not a red flag, but I didn’t mention earlier that her “boss” had provided a LinkedIn profile. This is where the scammer built his assumed persona. This was a real person working at a real advertising firm in London
– The fraudulent paycheck. It came from a chiropractic office in South Carolina and had obvious misspellings
– She was never paid for any of her work
– The unknown payment app the “company” wanted her to install on her phone
– The gift card ordeal. She never actually mailed them to anyone, she took pictures of the backs of the cards and texted them to the “company” which they more than likely cashed out
Education and awareness are key to countering social engineering. Knowing the signs to look for is important, I know a lot of them, but asking lots of questions can be equally important. Have a chat with your family so they know what to look for too. You never know when they might need it. A determined and experienced social engineer may be able to fool most people but if we remain diligent we can start to spot those red flags.