When pondering the term Social Engineering, my focus is solidly placed on “Social.” These are human, not technical, attacks. Social Engineers are first and foremost masters of manipulation of the social interaction. They identify potential targets, assess them in the first few seconds of conversation, and then launch the attack. A crisis situation is presented and the assault usually occurs with dizzying, intentional speed, such that the victim has no time to think, much less verify what they are told. Victims are quite simply caught off-guard. If the first thrust is successful then follow-on attacks are launched.
These attackers often do a little homework to prepare. They identify a target audience, usually vulnerable groups like the elderly. A crisis scenario is developed that preys on the psychology of the target. Any background information the attacker can gather increases the success of the attack, making the crisis scenario seem more authentic.
And by the way, I am not talking necessarily about the sophisticated professional villain. Many successful attacks are authored by rubes who strive for quantity, with the law of averages supporting their likelihood of success with at least one target. And a few successes is all it may take to make the Social Engineer successful in the “profession.”
Today I present a case in point, that illustrates a typical attack. A neighbor of mine in his mid-eighties got a call from someone who easily found his landline number (yes, you read that right). The person claimed to be a police officer in Las Vegas, saying that the neighbor’s grandson had been arrested for some indiscretion and needed bail money to get him sprung from jail quickly. The neighbor, reasonably upset by the news, asked simply “Which grandson?”, and the response was “The older one.” The caller gave wiring instructions then ended the call with the caveat “Your grandson asked that you not mention this to anyone, including his parents, because he is really humiliated. He said you were the only one he could go to for help.”
The real story behind the story of course is that my neighbor, who had been feeling old and irrelevant, was instantly cast in the role of the hero, having been given a rare opportunity to swoop in and save the grandson from destruction. This was the psychology behind the crisis scenario. Social Engineer called it with 100% accuracy and my neighbor fell for it. He transferred the money to an account in Las Vegas, not even asking the caller to verify the grandson’s actual name.
It worked so well that a few hours later the attack continued. Another call came through—this time from a purported ‘lawyer’, claiming that he represented the grandson and his friend, and who described that the situation was “even worse than had been previously described. The charges were being escalated to something felonious. So of course that meant the lawyer’s retainer would have to be sent immediately so that work could begin without delay to help prevent the situation from getting more difficult.
Attackers know how to be flexible with their story, to keep the attack going. So when my neighbor said he didn’t have the requested retainer sum, the lawyer explained that this was not a problem, that the grandson’s partner in crime was from a wealthy family, and would pay the retainer. But because the family that did not want to be directly identified, they would first deposit the retainer funds into my neighbor’s account and, once he verified the deposit, my neighbor was then to directly pay the lawyer. All the family required of him was to provide his social security number and bank account number, which they explained was completely logical since they were “trusting” him with their payment of the retainer amount. Yes, he fell for it and gave the information.
Now the attackers had far more than the first payment to Las Vegas of easy cash. They had the victum’s confidential financial information, given by the victim himself! In the hands of a Social Engineering attacker such information can easily be used to leverage more information and more cash.
When my neighbor called the bank to verify the transfer, lo and behold, the new money had been deposited into his checking account! How can this all be a fake when money is flowing to him? What he didn’t think to check were his linked accounts, such as savings and retirement. Using the bank information my neighbor provided, the thieves had simply done a telephone account transfer, mimicking my neighbor’s telephone number so it appeared on the bank agent’s caller ID display. It is usually easier to transfer funds between accounts than out of the bank. My neighbor then promptly transferred the ‘retainer’ amount, really his own cash, to another Las Vegas account.
Again, the attack continued. The ‘attorney’ called again to say that the case was more complicated and a higher retainer amount was required. Only then did my neighbor start to feel a little suspicious, and finally called a family member to share the situation. End of story: My neighbor was bilked of thousands of dollars and felt too humiliated to talk much about it.
It is critical that we share news of these incidents to raise awareness of the power of a good story, and a compelling storyteller. These attacks are successful, in part, because victims are too embarrassed to talk about their experience. And it can happen to anyone, individuals and businesses, given the right story, particularly with good background information we all to readily give away in our social media posts. When thinking about your on-line security, it is critical to understand the people factor and to spread awareness of how powerful and successful Social Engineering attacks can be.