Social Engineering is defined as the use of deception to manipulate individuals into divulging confidential information or breaking normal security procedures, with the intention of gaining access to systems, networks, or physical locations – or, for financial gain.
In one of our recent blog posts we discussed the different types of social engineering attacks, but when it comes to spotting these scams for yourself examples can often be more effective than just definitions, so we’ve collected a mixture of news-worthy corporate scams and small-scale independent stories to clear things up for you.
In 2013 the Associated Press Twitter account – with over 1.9 million followers at the time – was accessed by the Syrian Electronic Army (SEA), posting the following tweet:
With just this one tweet, stocks plummeted; within minutes the Dow Jones Industrial Average dropped by 150 points, and the Standard & Poor’s 500 Index fell by about 1%, losing $136 Billion before rebounding quickly enough.
The SEA was able to access the AP Twitter account due to a phishing email sent to several employees, using the ‘From’ address of another staff member and including a malicious link disguised as an innocent news article that was ‘very important’ for them to read.
This story is a perfect example of how easy it is for people to take advantage of your trust. In 2007 an ABN Amro bank in Belgium was tricked by a mystery man armed with nothing more than charm, costing them $27.9 million worth of diamonds.
The man, who was never found, was believed to have been a regular customer at the bank for years, with the Diamond High Council spokesman Phillip Case stating, “He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original keys to make copies and got information on where the diamonds were.”
Another example of pretexting is the 17-year-old boy from Oklahoma was fired from his job at Walmart after stealing money, and – rather than consider himself lucky for his close-call – he went on to steal another $30,000 from 3 other Walmart locations.
The minor pulled this off by simply walking into the stores with confidence, still wearing his Walmart uniform, and claiming to be carrying out an inventory of the stores before general managers would run an inspection after the holidays. The employees of the stores believed his tale, granting him access to the restricted areas he needed, with one store manager even giving him a hug as he left.
This personal account from a man named Devin might not be a story that made it into the news by any means, but ‘small’ scams like these can still have devastating consequences for the every-day individual.
Devin received a private message on Facebook from an account called ‘The Facebook Freedom Lottery’, claiming that he – and others – had won up to $150,000. Initially he was sceptical, like most people would be, but soon enough his cousin messaged him stating that he was also a prize winner, assuring Devin that after just a few simple steps he did receive his money.
Believing his cousin, Devin started the process for accepting his prize money, which required him to pay an upfront fee of $250. He figured that, since his cousin had managed to claim his money, there must be a legitimate reason for this, so he complied and sent over the fee. Devin went on to pay five more fees amounting to $1500 before he finally contacted his cousin, who told him that he had only recently got back onto his Facebook after it had been hacked.
Quid Pro Quo
Another personal account, this time from a man called Adam who fell victim to a betting investment scam.
Adam had received a brochure promoting the benefits and rewards of investing in the sport industry using gambling software. The brochure included facts and figures displaying high returns and glamorous photos of people reaping the benefits of the scheme. The software being promoted was – apparently – designed to predict wins and losses on specific sporting events for the investors to make accurate bets based on ‘industry knowledge’.
The catch, however, was the upfront payment of $20,000 to be part of the programme.
“The initial trading account cost $20 000 but I only made about $2000, well short of the promised returns. I rang the helpline and was then offered the opportunity to upgrade to a better program for another $25 000… After several days of badgering I submitted to the upgrade. Over time, I kept losing money in my betting account and I had to top it up for them to keep betting.”
Adam went on to send almost $200,000 in total before finally realising that he was a victim of a scam, and that he was never going to see any returns for his ‘investments’.