Social Engineering Lessons from an Oneonta Grandmother
Cybercriminals use nasty tricks to gain the confidence of their victims. They often use trust to fool users into providing their passwords or downloading malicious software. We’ve recently seen this happen with local Otsego county residents. First, let’s take a look at what social engineering is.
New Phone Scam Targeting Grandparents in Oneonta
Recently, Otsego County elderly residents have been the target of phone scams. The scammers call elderly people claiming to be relatives in need of assistance. As with social engineering attacks, in this instance the caller first gained the trust of the victim by pretending to be her grandson who needed help.
Once the scammer created a sense of urgency and gained her confidence, they switched to a person of authority (a lawyer) who could help her grandson. Next came the solution to solve the problem, a request for money to help her ‘grandson’ get out of jail. Fortunately the resident forwarded the information to her daughter who asked the scammer a few more questions (which he couldn’t answer) and the caller hung up once they realized they were caught.
Unfortunately another local resident wasn’t so lucky, falling for the scam and sending $20,000 to who she believed was a relative in trouble.
What are Social Engineering Attacks?
Social engineering attacks are designed to use psychological manipulation to trick people into breaking protocol and expose their information. This results in the transmission of information such as passwords, financial information and other personal information. Sometimes the goal of the attack is to convince the victim to download malicious files like ransomware. Social engineering is effective because it uses people’s natural curiosity, naivete, or FOMO (fear of missing out) against them.
Why is Social Engineering so Difficult to Prevent?
Social engineering attacks are difficult to prevent because they don’t rely on exploiting outdated software or obsolete hardware; vulnerable technology can be patched, updated, replaced or isolated. For example, if you invest in Managed IT Services, we would keep your technology up-to-date with the latest security patches and protections. Social engineering is dangerous because it takes advantage of the one thing your IT department can’t predict or directly control: human error.
Some Tactics Social Engineering Attackers Use
Scareware: With scareware the victims are targeted with an email, popups on web pages, and other attention-getting notices, designed to scare the victim into taking action. An example of this would be an email saying your computer is ‘infected’ and you must download software to ‘clean’ your computer or smartphone of viruses that were detected. In reality, the download is in fact the virus.
Phishing: Phishing is a popular form of social engineering attack. A phishing campaign’s goal is to instill a sense of fear, urgency or curiosity in their intended target. An example of a phishing attack would be an email from a ‘credit card’ company saying that your account is compromised and to please click on this link to verify your information (passwords, billing address, account number, etc.). The link will take you to a fake website which will record your credentials and steal your account.
Spear Phishing: A more ‘professional’ form of phishing, spear phishing cultivates the victim’s trust by personalizing their attacks to each specific victim. Unlike the generic materials from phishing, spear phishing materials are virtually indistinguishable from legitimate communications. This is the technique used to acquire sensitive information such as passwords from high level professionals, who may be more savvy and have more protections in place.
Baiting: Attackers leave ‘bait’ and rely on a person’s curiosity to deliver the infected materials to their network. Examples of bait could be an abandoned USB drive in your office’s parking lot or common area. It may have markings which make it look ‘important’. An employee finds the USB drive and perhaps leaves it with human resources, who then plugs it in their work computer to examine it. Once the USB is plugged in, the malware is delivered.
Pretext: The attackers gain the trust of the victims using the pretext of being a person of authority (lawyer, police, tax officials) who need information. They will send an email requesting information such as social security numbers, a stolen password, date of birth, mother’s maiden name, and other pieces of personal information. This information can be used for identity theft or as part of an overall spear phishing attempt to reach other C-level executives by adding accurate personal information into the phishing email.
Social Engineering Attacks Aren’t New
When people think about being hacked they always seem to envision someone in a hoodie, surrounded by computers, using their hacking skills to break into your computer. The reality is most cyberattacks occur due to users being fooled, often by their own curiosity or naivete, into revealing their personal information or exposing their network.
One thing to consider is that while social engineering attacks seem like a new paradigm, the techniques they use to fool victims is nothing new. What we now call social engineering was known as confidence scams before the digital age came into view. Confidence men (con men) used a variety of tactics to gain trust with the goal to defraud them, the same tactics social engineers use today.
As with today’s social engineering, con men take advantage of their victim’s naivete, compassion, irresponsibility and even greed to convince their victims to trust them and share sensitive information. As many of today’s cons use the phone to contact their victims, more often than not the elderly are the preferred targets of traditional confidence schemes.
Confidence schemes are similar to modern social engineering tactics in a few ways. Let’s break down the attempt that happened locally:
- A sense of urgency - (act now to help your grandson).
- A request for more personal information - This allows them to answer questions when the target seeks verification.
- A claim of authority - I am a lawyer.
- A way to solve the problem which required something of value (in this case it was money, in the case of social engineering it may be passwords).
Take a Pause
Whether it is a con or social engineering, time is your ally. Whenever you receive a call or an email demanding you immediately disclose sensitive information, it’s ok to take a pause. Take a minute and consider the request they are asking for and try to find ways to verify it. If it is a request for your password, contact your IT department and in the case of a spam caller, place them on hold and contact a relative to help verify the situation. Scammers rely on urgency to stop your critical thinking and push you into a purely emotional state, because it’s easier to manipulate you.
“I came so close — I had my savings book out on the table.” the victim of this phone scam said. Imagine if she was on a computer and all she had to do was click a button to transfer the funds; she would have lost thousands of dollars. Once you realize how easy it is to be scammed whether it’s on the phone or online, you recognize how critical it is your team is trained to recognize social engineering attacks and to ask questions.
The Final Lesson: Communication Is Key
This is why it’s important that the IT department develops a rapport with the rest of the team. When there’s mutual respect, your team won’t worry about asking a ‘silly question’ or clicking on a link to avoid contacting the IT department out of fear of ‘looking stupid’. When your IT department shares their knowledge and keeps your team in-the-know, there will be less chance for them to make a mistake out of ignorance or fear.
Now is the time to consider reviewing your security protocols, how your IT department communicates with your team and invest the resources needed to protect your data. When you ensure your network security is at the appropriate level, not only do you protect your business, you remain competitive. One thing is for certain, if your data is compromised regardless of the reason, you will lose clients, the real question is whether or not the clients will return.
For network security solutions including backup and disaster recovery, web filtering and firewall and even a Virtual CIO (vCIO), Directive has the solution to keep your business and your team operating at top-level performance. Call 607.433.2200 today to schedule an appointment.