Social engineering

Threat actors using social engineering are natural Psychologists. Using words and statements that lure you into the hook. A lot of phishing attacks happen over the phone (Vishing). You can get phishing protection software for your email and messaging, but what do you do with a phone call? It's sad to say but many people fall victim to phone scams.

Monique LaFrance one victim lost  $200,000 to a phone call from a person pretending to work for the Royal Bank, as a cyber specialist investigating a breach. Her quote "He asked me if I wanted to help them find the fraudsters and help others.” The scammer got access to her bank account and drew funds from her life savings. "It's crazy. It's really crazy. It gets me kind of sick just thinking about it," she said.

Understanding how hackers use social engineering to rollercoaster your logical thinking, as they reach into your pocket, is very interesting but not cool. The elderly are huge targets, as they are not versed in cybercriminals' social engineering tactics, and coming from a time when a person's word was worth something, they are trusting. And you ask, how can I pinpoint the elderly? 

If you Google a location say PEI (Prince Edward Island) and you search “Prince Edward Island Residential Phone Book, White Pages Canada”, most elderly people still have landlines, and not just picking on the elderly anyone with a landline can be found. This information we so freely give can be used against us. I would not put my phone number in a public directory and I would remove grandma and grandpa from these directories which would immensely cut down phone scams. 

Getting into the beans of this topic there are 4 main tactics used in a phishing attack. I will break them down.

Reconnaissance: Finding information on victims is essential for a successful Phishing attack. It's not a challenge to gather information to aid in this attack, people give heaps of information freely. This is dangerous because the scammer can make a  Phishing email sound like it's from someone you know or some activity you are involved with that needs your urgent response.

Interacting: This is where a scammer will call and use information gathered from reconnaissance to try to get login credentials or SIN numbers, or other personal data to aid in the next step.  

Exploiting: Thi is where the threat actor will use information gathered from interacting with the victim to log into bank accounts or your company's file share, which is now ransomed for x amount of dollars or sold on the dark web.

Clearing tracks: This is the final stage where cyber criminals delete fake accounts and other loose ends that lead to their disclosure.

So in breaking down the steps of a social engineering attack the first step is the most critical and it's also the one we have control over. 

So how do some of the smartest people fall victim to social engineering attacks? The brain release a chemical called dopamine the feel-good drug. When we feel good we want the thing that makes us feel good, like eating candy, or maybe its a phishing email and I spoof your company email, you are greeted with a picture of a new shiny laptop, and under that picture in big words “Log in to claim your prize”, this makes you feel good and dopamine is released and logic for some people goes out the window. Meanwhile, scammers collect your login information and you just picked up some malware. 

Another chemical released is Oxytocin which plays a role in social bonding. Oxytocin is released when you talk to people you like, or are attracted to, even while talking to someone through social media. Oxytocin is also released when interacting with someone you feel they trust you. So not when we trust but when we feel we are trusted. The best way I can explain how oxytocin alters decision-making is to use a quote from Christopher Hadnagy who is a social engineering specialist “So I have a secrete that I have not told anyone else in the world only you, and if you were to believe me your brain releases oxytocin and guess what I am now your drug-dealer”.

These threat actors leverage these mind hacks to tip the scales in their favor. We can protect ourselves by just taking a step back and slowing down. If you get a phone call that does not feel right, get out a pen or pencil and write down what is being asked, and read it back to yourself. No bank or company you work for will ever ask for your password or any personal information and do not click links attached to emails. If you get emails from friends that seem strange give them a call.  

Social engineering attacks are so complex these days, every time you answer a call, check email, or have a chat on some social media site be mindful you are at risk.  

Thank you!

By: Nick Keenan