So you think you can't be fooled?
An essay on social engineering
My motivation to write these words is based on the fact that the overall spotlight of information security incidents seems to be directed towards big players, multinational corporations and so on. We all heard about the big incidents and seen their consequences reported and the effect they had on the masses — all that content easily reaches the front pages of newspapers.
However, what I have seen throughout the years is that the smaller incidents, those that do not make the headlines (but are not necessarily less frequent despite being somewhat less spoken about), when such incidents happen they happen to individuals. It is the receptionist that is taken advantage of. It is the accountant that falls for the tricks. It is your wife or family member that got the unexpected call from the bank with the dire news that the credit card has been maxed out (when you know you haven’t used it in months). These things, and many others, happen on an individual basis.
Therefore I believe that a potential solution to this problem needs to be addressed at the level of the individual.
Social engineering is fundamentally defined as the psychological manipulation of people into performing actions (like sending money to bank accounts) or sharing confidential information (like secret marketing strategies). It is the new con man’s ruse to take advantage of you (and your privileged access to or knowledge of information). I believe it deserves significant relevance as it is easier and easier to impersonate someone and lead people of goodwill into fraudulent situations and even potentially lose their jobs. And to make matters worse, people think they can’t be fooled and that it only happens to someone else. It really doesn’t.
Hacking the Human
As Kevin Mitnick famously said, "Social engineers veil themselves in a cloak of believability". It is all about making it look like it is real.
Let me tell you the story of “Carlos”. This Argentinian was able to make his way into a high-security bank safe in Antwerp and took about €21m in diamonds. And he did that by posing as a successful businessman. Carlos visited the bank frequently, befriended the staff and was gradually able to win their confidence. He even brought them chocolates! Later it was found by the authorities that Carlos was identifying himself using a passport which had been stolen in Israel years before. The interesting part is that no weapons were used, no aggression was employed and no violence was needed. It all worked due to one thing: his charm, against a security system that was valued at €1m. It seemed real.
This one made the newspapers. Many other stories do not.
Let me now tell you the story of Julian. Julian was a colleague of mine in a previous job, a very nice and uplifting bartender, well educated and one of the strongest professionals I ever worked with. Julian wanted to go to Amsterdam, so he went online to room renting websites which he saw offered the cheapest prices. After many emails with landlords, he chooses his favorite room, owned by Sarah, and receives from her the bank account details to pay the initial rent. Since he would only travel later that month, he did not pay right away. However, Sarah pressured him that she could not reserve the room unless he paid the full amount as soon as possible, which he proudly did. He travels to Amsterdam and arrives at the address mentioned on the website and the exchanged emails with Sarah. To his surprise, he is facing a lawyer’s office in the city center. It’s not even a residential area. He wants to call Sarah and realizes that no phone number was ever shared. And only at this time do the small warning signs, the red flags in his mind, start to surface:
there was no way to establish direct contact with Sarah;
she was being quite pressing and creating urgency in making sure the money was sent as soon as possible;
the bank account given was from the UK, though the room was in Amsterdam;
the somewhat legitimate however typo-ridden contract she asked him to sign for the few days he would use the room…
The list went on and on. As he shared this with me, his disappointment in himself was immense and he could not believe he missed all the signs. He also added that he immediately called his bank to try and stop the transaction, but his bank couldn’t help as the money had already been sent. So he called the UK bank, but they also couldn’t help as he was not their client. He finally informs the police, but they told him that there was nothing they could do and that these situations were quite common and often led nowhere.
Sarah was gone, Julian had lost his money and had no room. All because it seemed real.
Looks can be deceiving, but something can be done about it.
Security through education
If the problem resides at the level of the individual then so does the solution. And the solution is education.
Education leads to awareness. And awareness leads to recognition. Awareness will always be the broker between the recognition of a potential threat (like social engineering) and the ignorance of it. It is this ignorance that allows exploitation to take place, social engineering incidents to happen and loss or damage to occur. In other words, the ability to see social engineering for what it is comes from and after the awareness provided by education.
From big corporations to small home offices, it is the individual that falls for the latest scheme. It is the tired yet committed employee that might click that link he shouldn’t have. You can and will be fooled unless you educate yourself to the point you can recognize you are being fooled.
So I urge you to get informed and stay informed. Information regarding this is abundant on the internet — use it. Here is one example, and here is another. Ask yourself if you can answer questions like these: how are social engineers employing their methods? What exactly do they do? What tricks are being employed? Could you recognize them? What are the trends? If you cannot answer these questions quickly and in a detailed way, it’s alright. To recognize that is already a good step forward. And the next one is to start getting further educated.
Security is everybody’s business. Yours too, professionally or personally. Know that you can be fooled and prepare yourself for that, so that chances are you won’t be.
Thank you for reading. If you enjoyed this post, spread the message by sharing it and engage in the discussion by commenting. And let me know how you are keeping yourself educated in these fast-paced ever-changing times.
