Phishing is a topic that has been discussed to death due to the ease of exploitation of humans and the approach taken to catch someone off guard. Other issues that are not considered as much are social engineering, CEO fraud, fake friends on social media, or waterhole attacks, and the reason for that is due to the overhead of effort versus reward.
How it started
A few weeks ago, I was the target of a social engineering scam. The perpetrator phoned and told me that he was calling from the US Marshall’s office and that my social security number was utilized in several illegal and fraudulent activities. The first few minutes caught my attention since nobody wants to be a victim of identity fraud. The conversation continued where they were trying to scare me into thinking it was real and that there were several bank accounts opened for money laundering. The bank accounts were supposedly used for payment in human trafficking and transferring money abroad to terrorist groups. They continued talking about the options I had in dealing with this scenario I found myself in. They were trying to be convincing in providing me with their US Marshall badge number and the warrant of arrest reference number. After a long conversation, they started asking questions about which bank accounts I had, the assets I had, and how much money I had in my bank accounts.
Twenty-five minutes into the conversation discussing the options I had and that a social security administration officer, together with a US Marshall agent, will be coming to my home the next morning. The purpose of the house visit was to go through the details, discussing the way forward, and generating a new social security number for me.
Approximately thirty-five minutes into the call, they transferred me to the US Marshall agent that will be dealing with my case. The telephone number was completely different, in another state, from the original call. The agent started discussing that I had to go to my bank immediately to withdraw all the money and transfer it to my new social security wallet. The key was I was forced to do it quickly had to stay on the call with him until the transaction was completed.
After playing along with this perpetrator for the past forty-five minutes, I told him that I was not going to the bank and that it was already closed and that my daily cash withdrawal limit was only $100. They started getting agitated and told me to call the bank to increase my limit since I had already chosen not to go to court to fight this charge against me. Eventually, I told him that I was going to go to the police station to confirm the warrant of arrest, which agitated the man even more. Another ten minutes into the conversation, I told him that I was onto him from the start and that I have already reported them to the FBI. They immediately dropped the call, and that was the last I heard from them.
What they didn't know
What the perpetrators didn't know is that they were talking to someone whose profession is to defend against social engineering attacks and that as a company, we teach our clients to be cognizant of social engineering attacks. By listening to them and playing along, they thought they had another victim. I have to admit that they were compelling and being forceful right from the start and not giving you much time to talk unless you are asked questions, made you feel defenseless and that giving them the advantage of being successful.
We are all a bit more vulnerable in this time of social distancing
During this time where we are socially distanced from one another, there is an opportunity that arose and criminals are taking advantage of such opportunities. People always had each other and were close to one another when they went to work. Being together in an office allowed us to either ask for help from the person sitting next to us or raise a point to the security team if something does not seem right. Social distancing has created a scenario where humans feel vulnerable and alone due to being confined to our homes.
Unfortunately, when organizations looked at incident response plans and business continuity plans, they did not consider these security concerns when being isolated, especially for those not used to working from home. If you have not dealt with a pandemic or scenarios where you were forced to quickly put a plan in place to keep your business operating, then you would never think that social distancing is a high risk, and especially when you consider the likelihood of this occurring. The last big pandemic that caused mayhem was the Flu Pandemic of 1968. If you think back to people that were working at that time, the chances are they have already retired.
It is, therefore, not something that was on anyone’s radar when incident response plans were drawn up. The unfortunate thing is that criminals are taking opportunities like this to play on victims’ weaknesses. Being in unknown territory where we are distanced from one another gives criminals the opportune time to exploit those vulnerabilities.
There were key aspects that gave them away right from the start even though they had a great script and had a plan to rattle the victim until they gave in to their demands. Although there are differences in the approach between social engineering and phishing, the outcome is always the same with a victim paying the price for being negligent. There are also crucial aspects to look out for when dealing with all these scenarios.
What gave them away
Before comparing the similarities to look out for in any social engineering attack, I will share with you what gave these guys away with their social security scam.
- They did not allow you to get a word in and therefore trying to rattle you.
- They tested to see if you know your federal rights, and if you didn’t, they knew they could continue exploiting you.
- They were asking questions about the information they should have had if they investigated this identity fraud case.
- They mentioned people coming to your house when these government agencies will never do house visits.
- Talking about withdrawing all your money before the government seize all your assets and freeze all bank accounts.
- They are adamant that you had to go to the bank immediately without wasting another second.
- They talked about social security wallets and transferring funds to that social security wallet.
The list goes on, but these are vital aspects that gave them away within five minutes into the call.
Key aspects to be vigilant when dealing with Social Engineering and Phishing
The key aspects to always be vigilant about irrespective of whether you deal with social engineering or phishing, are as follows:
- Understand the laws and regulations in your country. Law enforcement will not ask you to empty your account before it is frozen.
- Who are they and where are they from? (Can you phone them back)
- Content of the call, is it believable?
- Don’t give personal information ever. (People should have this if they are investigating you)
- Urgency is always a big red flag. If it cannot wait for a few days to confirm the accuracy, then it is most likely a scam.
- Listen for accents of people that should be in-country and not calling from other countries.
- Things that do not make sense to you or that you didn’t request. (Tech support, fraudulent transactions, etc.)
Be vigilant, pay attention when speaking to people, reading emails, or browsing social media. Ask questions. It is your right! It can be the difference between you becoming a victim or the victor.