Social engineering refers to manipulating individuals into divulging confidential information as part of an elaborate con.
In some cases, it can be the first step in digital fraud.
Last week, I received a call from “Verizon,” asking me for the password of our account.
I asked the chap what his name was; he said “John.” I informed “John” it was a bad day to be in the fraud business and said I would need his password.
See what I did there?
Needless to say, John was not amused. I added that I would also need the name of his pet and favorite song by Coldplay (he seemed like a Coldplay guy). Anyway, he hung up.
Obviously, John did not work for Verizon. He wanted to gather private info. There are so many ways for criminals to attempt to defraud; I will detail a few to save you some pain. Not just common phishing schemes or crypto locker ransomware threats, but some new ones I bet you haven’t heard of.
Have you heard of baiting? This is a very creative form of fraud.
In baiting, the criminal counts on the curiosity of the victim. The thief leaves an infected disc or USB drive in an elevator, a parking lot, a bar and the like, hoping the person who finds it puts the device into their computer. To this end, they rely on the user, usually labeling the disc or drive with something that sounds enticing: “Swingers party at Dan’s,” “credit card numbers, “case notes,” or even something as simple as “confidential.”
The device in question has malware loaded; the minute it is plugged in, the thief can target that PC and its connected network.
People are curious by nature and they often fall for this.
The Verizon story mentioned above is called “vishing” or phone phishing. There are many variances of this, with one of the most common is someone calling claiming to be from tech support, or Microsoft.
Don’t forget, readers, Microsoft never calls you, not ever.
So when a fake rep from Microsoft calls, asking you to click a link and enter your password, please don’t do that. That is bad. I have had clients fall for that one, and all of their data was compromised.
Another abundant playground for cyber thieves is social media.
Is your birthday on your Facebook page? Your title at work? How do you think criminals come up with fake emails sent to the president of organizations to the accountant asking for wire transfers? We received one the other day at Aegis; the tone was way too nice. We laughed over that one.
Or maybe they pull contact info off your corporate website. Having info out there is a good thing — for people trying to reach you — but it also makes you a target for those in the fraud business.
Just this morning, I was speaking with a local businessman. He asked me if I had ever heard of the following scam: Someone pretending to be a vendor for a large university provides a change of bank account for direct payment and impersonates the CTO or accountant of that supplier. Schools in Florida are always a target.
Once a transfer is executed, it is hard to track down the criminals in question, as the money is gone and they are usually overseas. In these cases, local law enforcement doesn’t know what to do. Just like a friend of mine in Texas who had their credit card number stolen. The card was used in a store in California so the Texas police told him to file a report in Cali.
That’s about as helpful as a room full Pokémon Go players drinking copious amounts of Dirty Steves — Red Bull and vodkas.
The reason cyber criminals go to all this trouble? It is usually much easier to hack a person (con them into providing confidential information) than it is to hack a network.
How do you protect yourself? As Agent Fox Mulder said back in the day: Trust No One.
Blake Dowling is chief business development officer of Aegis Business Technologies. His columns are published by several organizations. You can reach him at firstname.lastname@example.org.