A few weeks ago, I was the target of a social engineering scam. The perpetrator phoned and told me that he was calling from the US Marshall’s office and that my social security number was utilized in several illegal and fraudulent activities. The first few minutes caught my attention since nobody wants to be a victim of identity fraud. The conversation continued where they were trying to scare me into thinking it was real and that there were several bank accounts opened for money laundering. The bank accounts were supposedly used for payment in human trafficking and transferring money abroad to terrorist groups. They continued talking about the options I had in dealing with this scenario I found myself in. They were trying to be convincing in providing me with their US Marshall badge number and the warrant of arrest reference number. After a long conversation, they started asking questions about which bank accounts I had, the assets I had, and how much money I had in my bank accounts.
Twenty-five minutes into the conversation discussing the options I had and that a social security administration officer, together with a US Marshall agent, will be coming to my home the next morning. The purpose of the house visit was to go through the details, discussing the way forward, and generating a new social security number for me.
Approximately thirty-five minutes into the call, they transferred me to the US Marshall agent that will be dealing with my case. The telephone number was completely different, in another state, from the original call. The agent started discussing that I had to go to my bank immediately to withdraw all the money and transfer it to my new social security wallet. The key was I was forced to do it quickly had to stay on the call with him until the transaction was completed.
After playing along with this perpetrator for the past forty-five minutes, I told him that I was not going to the bank and that it was already closed and that my daily cash withdrawal limit was only $100. They started getting agitated and told me to call the bank to increase my limit since I had already chosen not to go to court to fight this charge against me. Eventually, I told him that I was going to go to the police station to confirm the warrant of arrest, which agitated the man even more. Another ten minutes into the conversation, I told him that I was onto him from the start and that I have already reported them to the FBI. They immediately dropped the call, and that was the last I heard from them.
What the perpetrators didn't know is that they were talking to someone whose profession is to defend against social engineering attacks and that as a company, we teach our clients to be cognizant of social engineering attacks. By listening to them and playing along, they thought they had another victim. I have to admit that they were compelling and being forceful right from the start and not giving you much time to talk unless you are asked questions, made you feel defenseless and that giving them the advantage of being successful.
During this time where we are socially distanced from one another, there is an opportunity that arose and criminals are taking advantage of such opportunities. People always had each other and were close to one another when they went to work. Being together in an office allowed us to either ask for help from the person sitting next to us or raise a point to the security team if something does not seem right. Social distancing has created a scenario where humans feel vulnerable and alone due to being confined to our homes.
Unfortunately, when organizations looked at incident response plans and business continuity plans, they did not consider these security concerns when being isolated, especially for those not used to working from home. If you have not dealt with a pandemic or scenarios where you were forced to quickly put a plan in place to keep your business operating, then you would never think that social distancing is a high risk, and especially when you consider the likelihood of this occurring. The last big pandemic that caused mayhem was the Flu Pandemic of 1968. If you think back to people that were working at that time, the chances are they have already retired.
It is, therefore, not something that was on anyone’s radar when incident response plans were drawn up. The unfortunate thing is that criminals are taking opportunities like this to play on victims’ weaknesses. Being in unknown territory where we are distanced from one another gives criminals the opportune time to exploit those vulnerabilities.
There were key aspects that gave them away right from the start even though they had a great script and had a plan to rattle the victim until they gave in to their demands. Although there are differences in the approach between social engineering and phishing, the outcome is always the same with a victim paying the price for being negligent. There are also crucial aspects to look out for when dealing with all these scenarios.
Before comparing the similarities to look out for in any social engineering attack, I will share with you what gave these guys away with their social security scam.
The list goes on, but these are vital aspects that gave them away within five minutes into the call.
The key aspects to always be vigilant about irrespective of whether you deal with social engineering or phishing, are as follows:
Be vigilant, pay attention when speaking to people, reading emails, or browsing social media. Ask questions. It is your right! It can be the difference between you becoming a victim or the victor.