Social engineering is the art of using human interaction to try and exploit sensitive data or money out of an unsuspecting victim. We have all gotten the overly-obvious emails from the Prince of Nigeria needing money to help out his country with the promises to pay back the loan, plus interest. We see these emails and immediately know that the person is up to no good, so we delete it. But what happens when you are the victim of a scam that isn’t so obvious?
I am what you call an ethical social engineer. Part of my job is to run social engineering tests for companies so that they can see how likely their users are to give out information. Typically I do this in the form of a phishing test, in which I pretend to be someone inside of the company in order to gain information. Once the test is completed I can give the I.T. department and administration information on what training they need to do, and specifically what users fell victim so that remediation can be more focused. I am considered an ethical social engineer because I work within the confines of a contract with terms agreed upon by the client. My job is to try and gather a very specific piece of company information from the user. I never try and gather personal data, and I never push the limits. In fact, there have been numerous instances in which the user offered to give me additional information. Had I not been operating in an ethical way, I could have found the holy grail of that company’s sensitive information.
The trouble, though, is that ethical social engineers are in the minority. Most people out there running social engineering experiments are doing it with malicious intent. They have no contract, and therefore will go after whatever piece of information they want. And if you give them room to take more, they will jump at that opportunity. They don’t care what emotional or financial burden they put on you, so long as they are successful in obtaining the information they want.
The even scarier part is that these social engineers will go after absolutely anyone. Today during a staff meeting a fellow coworker received a call from an IRS agent that he was being prosecuted for tax evasion. The number came from a local sheriff’s station and the caller had all of his information, including his home address and email address. The caller insisted that my coworker needed to send the money or face jail time. He eventually got off the phone with this so-called IRS agent and called the real sheriff’s station to report the incident and to let them know their phone number was being spoofed.
Luckily my coworker was able to eventually figure out that something didn’t seem quite right about the situation and was able to identify this as a social engineering attempt. However, even as someone who works in network security, he went through several minutes of panic thinking this was a real call. That just goes to show that no one is immune.
The only thing you can do to protect yourself and your organization is to train your users on what to look for. We can never stop these attempts, because we have no way of controlling the actions of others. We can, however, teach our users how to play it safe and how to identify the signs of a social engineering scam. There have been so many times we have talked to a client about a prospective phishing test or training and their answer is, “I don’t think we need it, my users know what to do.” The problem is, you have no way of knowing that until they are put in the situation. And do you really want to take that gamble? It’s just your company’s data, after all.