Social Engineering –  How to Protect Yourself and Your Company

Posted: August 15, 2018

Social Engineering is a low-tech method used for gaining access to resources whether they are physical, technical, monetary, or informational (e.g. trade secrets, confidential).   Phishing is one example of Social Engineering

What is Social Engineering?

Social Engineering is the art and science of getting people to comply to your wishes. Another often used definition is the use of psychological tricks on legitimate users of a computer system to gain information needed to gain access to the system.

For Example

Consider the following; Eddie Murphy and Leonardo DiCaprio’s characters in Beverly Hills Cop and Catch Me If You Can or Sasha Baron Cohen’s Borat character. If you remember the Wild Wild West series, think of Artemis Gordon who often resorted to impersonation to trick his intended targets.

Motivations for Social Engineering

There are multiple reasons why an entity or individual might want to engage in social engineering that might include, espionage, sabotage/terrorism, greed, monetary gain, breaching a physical barrier, as a challenge, or to gain information.

Some Examples of Social Engineering

  • Being notified that you have won a contest that you didn’t enter
  • Being asked via email to verify your billing information (e.g. eBay, PayPal, etc) as there was an issue with your current credit card on file
  • Calling a Help Desk pretending to be someone else to obtain their password
  • Gaining physical access to a company via impersonation or using a pretext (e.g. phone repairman)
  • On-line phishing to obtain personal information
  • Tailgating an employee into a secured worksite
  • Solicitations for propagating a chain letter

How Does it Work?

  • Often social engineering takes advantage of most people’s usually genuine desire to help and often times fear of saying no.   In other instances, a Social Engineer will use flattery or take advantage of someone’s greed to obtain what they want under the pretext or promise of monetary gain.  The target might be in a hurry and and not have the time to perform due diligence or checks.   In other cases, they might be intimidated into cooperating.

Why It Works

  • Social Engineers often have the gift of gab and the power of persuasion.   They act with confidence and like they own the place or at the very least belong there.
  • Often, they will reference a higher authority (name drop) to lend credibility to their argument.
  • When challenged they will act incredulously or become indignant.
  • In other cases, they will use a derivative of the actual truth to lull their target into a false sense of security.
  • Social engineers often present themselves as a source of authority via disguises, impersonation or tone.

What You Can Do to Prevent it

As an Employee, you can take the following steps to avoid being compromised:

  •  Be aware of your organization’s policies regarding visitors, password protection, physical security, disposal and dissemination of information, and corporate communications
  • Always verify information presented by a person requesting informational or physical access. If they name drop, call the individual or their assistant directly to confirm.
  • Never give out your password
  • Be aware of entrance tailgaters and shoulder surfers.  If you suspect one, challenger them to provide valid identification of direct them to a physical security representative.
  • Always verify who you are talking to. Don’t be afraid to ask for a callback number and call that number before disclosing any information.  Or better yet, obtain a valid contact number via the company website.

In your Personal life, the following steps can help you avoid being victimized.

  • Shred any mail and bills that may yield your personal information.
  • If you lose your wallet or handbag, follow the steps on my blog on Losing Your Wallet
  • Always take your receipts (Credit card, ATM etc.) with you and shred them when not needed
  • At an ATM machine pull on credit card insertion slot to ensure that a scanner has not been inserted. Cover the numbers when entering your pin (in the event of a camera)
  • At a gas station run your debit card as a credit card or, better yet, go inside and pay at the register
  • Always be suspicious of winning contests you didn’t enter. Never fork out money as an upfront fee or give out any personal information.  Instead ask the contest contact to take the fee out of your winnings (They will always decline that option).
  • Never ever provide any personal information from unsolicited communications (email, phone, in person etc.) or click on any links from such sources.

 

Real Life Example of Social Engineering in Action

Back in 1985 a childhood aquaintance of mine was determined to attend the July 13 Live Aid Concert at John F. Kennedy stadium in Philadelphia free of charge. Little did I know at the time, but I was about to get my first introduction into social engineering in action.

My acquaintance’s first order of business was to scan the list of performers and focus on some of the lesser known artists.  He identified Billy Ocean as his point of entry, although he knew nothing about this performer at the time.

He then contacted the promoter of the Live Aid Concert claiming to be Billy Ocean’s cousin and was acted indignant that he had not yet received his backstage passes. Rather than confirm his identity, the promoter referred him directly to Billy Ocean’s manager.

My acquaintance then contacted the manager directly and acted equally indignant that he not yet received the tickets to his “cousin’s” concert. The manager did not challenge him in any way and agreed to send him backstage passes.

He received the backstage passes and free parking passes, and ended up taking one of my brothers as his guest.   They attended the concert and mingled freely with celebrities attending or performing (e.g. Phil Collins, Chevy Chase, Jack Nicholson and Don Johnson among others).  With surprisingly little effort and virtually no road-blocks – mission accomplished.

Moral of this story: 

This entire situation would have resulted in a much different outcome had the promoter called the manager directly to verify my acquaintance’s claim that he was the artist’s cousin.  The manager should have been provided a list of family and friends directly from Billy Ocean.   Even without the list, the manager could have easily contacted Billy Ocean directly and confirmed the relationship (or lack of).  The manager could have also tested this con artist  by asking him personal details regarding Billy Ocean that his “cousin” should have known.  Due to time constraints, simple negligence or possibly a lack of awareness, no preventive measures were taken, and having had such a quick and easy win, the propensity to continue this nefarious behavior was reinforced in my acquaintance.

A con-artist was born and subsequently this behavior has continued.  This individual has since successfully posed as a member of the press to gain access to a press box and free parking at sporting events and has interviewed professional athletes in this guise. He has also successfully posed as an EMT, maintenance worker and pizza deliveryman to gain admission to sporting events and concerts.   He was offered a job as an executive chef at a resort after having charmed the owner into believing he was the head chef at a posh Miami Beach hotel.  He has also successfully talked his way into a major studio in Los Angeles as well as private membership only clubs up and down the East Coast.

Unfortunately social engineering is alive and well and we should all take measures to ensure we are not a victim or accomplice to it.

 

Bruce Josephs

Author: Bruce Josephs

Bruce is a senior consultant with Compliance Point located in Texas serving clients on audit related initiatives. He retired from Fidelity Investments after 11 years of being responsible for disaster recovery and interfacing with internal and external auditors by preparing for reviews (SSAE16, ISO27002, SOC1, SOC2), and managing access programs (terminations, transfers, elevated access reviews) for Fidelity. Bruce is a holder of the CISSP, CISA, CISM and CIPP certifications and holds an MS Degree in Financial and Investment Management from Drexel University. Bruce has also previously held both secret and top secret clearance while working in the defense Industry and has authored two articles on Mainframe Security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info