Social Engineering: How You are the Hacker’s Greatest Tool, and What You Can do to Prevent It
By Evidence Solutions, Inc.
Computer Technology and Digital Forensic Firm
Computer Technology and Digital Forensic Firm
Let’s define the term “Social Engineering”. Simply put, it is the art of manipulating people into doing something, like divulging confidential information or performing actions that would expose information, and making them feel good about doing it, i.e they “solved” a problem or helped someone, etc. This allows the hacker to obtain information in a non-threatening manner.
Let us now explore some examples how easy it is for a hacker to utilize social engineering to obtain confidential or sensitive information.
There are several examples where social engineering can be used for personal gain, other than divulging information. One very common example that is employed by many people on a frequent basis: paying a compliment to the hostess at a fine restaurant thinking you may be seated at a nicer table or seated faster, or doing the same to your waiter or waitress to get faster service.
All too often in today’s society, social engineering is being used for dubious reasons, so a hacker can obtain sensitive personal and/or company information. This has now become a real threat to the security of your employees, confidential client information and company records and/or banking information.
Here are some of the social engineering tricks and scams:
The IT Support Person Scam:
The social engineer gains access to your computer systems by calling as an IT support person. Generally, this is easier to do when there is a lot of buzz about a virus or malware in the media. It can, however, happen at any time. The person posing as IT support (the imposter) calls a user and attempts to lead them through some sort of fix for the malmare. The imposter continues to stress how important fixing this is and causes the end user to become frustrated. Once the user becomes frustrated, the imposter says something along the lines of “Let’s save us both time. Why don’t you give me your password, I’ll deal with the problem and call you back”.
A variant of this scam, with some additional twists, has been used to take significant amounts of money (six figures in this case) from a law firms bank accounts. Law Firm's Trust Account Hacked! Six Figures Taken!!!
Jury Duty or Subpoena Scam:
The phone rings in the early evening. The caller states the person answering the phone has failed to report for jury duty, or appear as required by a subpoena. This usually takes the answerer by surprise. The caller then asks for the answerer’s full name, social security number, and date of birth, so they may “verify” they are the person who failed to appear. The unsuspecting readily supplies this information and ends up becoming the victim of identity theft.
The Foreign Traveler Scam:
This generally happens when a hacker gains access to an email account or a Facebook account. The hacker then uses the account to send a bogus email or Facebook posts to the real account owners contacts. The post reads something like this:
Subject: “Predicament (Sad news)!!!”.
Email Body: “I feel terrible disturbing you with this but I don't have any other option. I had to travel to Alaska for something urgent but now I am in a tight situation here. Please I need your help with a loan of $1800 to sort myself out. I will refund you immediately when I return this weekend. If you can help with this let me know so I can tell you how to get it to me.
Click this to send funds.
Of course, Becky’s close friends would hate to see Becky stuck in a foreign country so they will click a link and follow the instructions to send money to “Becky”. The bank will look like a legitimate bank website (Chase or Bank of America) fooling even the most observant individuals. It will ask Becky’s saviors to send funds to her via a bank account setup in her name in that foreign country.
Disaster Relief Scam:
This scam usually happens right after a disaster such as a hurricane or has happened most recently the bombing at the Boston Marathon. Fake donation sites appear on the internet by the hundreds or even thousands. The purpose of these sites is to use the emotional appeal of helping victims to capture credit card or bank account information from those who are well meaning, and would like to help. We definitely encourage those who wish to help in these situations, BUT, check out the website and the foundation set up before you donate.
Free Gift cards or Airline Tickets:
This type of threat happens often via email on Facebook, Tumblr, and Pinterest. The user is prompted with an “ad” that indicates that the user will receive a free gift card or software upgrade or perhaps even some of Bill Gates fortune, for filling in a survey. Stay away!!! These companies are not really giving away anything. They are merely collecting information from the unsuspecting that can be used to steal an Identity.
Unauthorized Access to Your Building or Offices:
Typically someone will be hanging out in a smoking area and chatting it up with fellow smokers who have access to a secure building or office. When the real employees go to enter the facility, the imposter merely follows them using a technique called “tailgating”. If the employees ask the imposter for their ID, access card, or badge, the imposter will simply tell the employees they left their access card in their office. “Cigarettes, a Social Engineer’s best friend”.
Another way of gaining unauthorized access to your building or offices is for the “imposter” to have lots of packages or simply say “I’m in a hurry, please let me in”.
Social Engineering is here to stay. If it sounds too good to be true or employees feel something just doesn’t feel right, they should trust their gut instinct. Odds are unless you are vigilant, you will not know you are a victim until it is too late. It is very important to have a stated IT policy in place, as well as a safety policy, and to have your employees familiar with both of them. The more aware they can be the less likely you, your employees, or your company will become the victim or an unwilling hacker.
ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene has been helping companies meet the challenges of the swiftly evolving computer technology industry.
Directly from high school, Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.
The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.
Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.
Copyright Evidence Solutions, Inc.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.