A little story about social engineering: what you need to know to protect yourself

Have you ever been duped into giving someone classified or highly sensitive information about yourself or someone else? Have you ever received a sales offer that sounded great at first but turned out to be a scam? With that in mind, we would like to turn your attention to a concept called "social engineering".

According to computer security consultant and former infamous hacker, Kevin Mitnick, social engineering can be defined as the manipulation of human nature. He claims that the weakest link in ANY security system, be it personal or professional, is the human element. The reason for this is our natural inclination to trust people and assume that they have only the best intentions; this inclination exists to avoid conflict when conversely it only creates more.

Rather than share other people's experiences with social engineering, we would like to tell you a tale that hits closer to home... you'll soon understand why.

Without further ado, this is the story of Mr. F (the fraudster), Mr. V (the victim) and Hacksaw, the monster truck. ***some creative license was used for entertainment purposes, but essentially, this story is based on true events***

On a bright sunny Friday morning, Mr. V is enjoying some casual online shopping in hopes of finding a cheap car for his impending trans-America road trip. After some browsing on Craigslist, he discovers a deal of a lifetime. Mr. F is selling his precious monster truck, affectionately named Hacksaw, and he needs to find a buyer as soon as possible. He is an American soldier about to be deployed to Afghanistan to defend democracy and justice for all. His tour of duty is right around the corner and if he doesn't find a new owner for his truck, Hacksaw's fate will become tragically precarious -- a thought the young soldier just cannot fathom.

He is so keen to unload the truck before his deployment that he offers it at a significantly discounted price, shipping costs included. Mr. V is interested in the offer and contacts Mr. F by email. Mr. F writes eloquently about his love for his truck and all of the good times they shared. He also discusses his dedication to the army and fighting the evils of tyranny and injustice. Mr. V is totally sold since he too is a die-hard patriot and agrees to buy the truck.

Mr. F sends him a detailed letter with instructions on how to pay for the truck and claim it. It's really simple: Mr. V sends a wire for the specified amount to Mr. F's bank with all of the necessary information. Once he does that, he must contact AlertPay -- who Mr. F says is holding the truck in escrow -- to claim his brand new monster truck.

Mr. V heads to his bank and sends the bank wire. He does not acknowledge the fact that the wire to going to another country because he is so excited about taking Hacksaw out for a spin when he finally gets him. This brings Mr. V to the last step of the transaction: call AlertPay and ask them to release the truck to its new owner. Mr. V calls AlertPay as per Mr. F's instructions and states that the truck has been paid for and now wants to know what to do to claim it. What he then hears is nothing good. The customer support representative tells him that AlertPay is not an escrow service and delicately explains how the service works; this definition does not match Mr. F's and then the truth is revealed.

The customer support representative advises him to contact his bank to see if he can trace the wire or somehow stop it, but alas, the funds have already crossed the border and it's too late. The money is gone, gone, gone and there is no truck named Hacksaw waiting in escrow to be claimed by Mr. V.

Mr. V is about $7,000 in the hole and Mr. F is laughing all the way to the bank to claim his ill-gotten loot.

Can you find the red flags in this story? Anything seem fishy to you? Let's take a closer look at what really happened:

- Mr. F had an emotionally-loaded sob story in which he appealed to the hearts and minds of fellow patriots looking for a cheap car; this "sob story" is the first stage in social engineering called "pretexting" -- setting the stage for the con.
- He used the discounted price which included shipping costs to appeal to a commonly occurring human trait: greed.
- He also preyed on another commonly occurring human trait: trust.
- The receiving bank for the bank wire was in a different country. This does not jive with his claim that he is an American soldier about to be deployed on a tour of duty.
- He was in a rush to get rid of the imaginary vehicle. The rushed tone encourages people to make sometimes illogical decisions because they don't have the time needed to actually think before acting.
- Mr. F said AlertPay was holding the truck in escrow. We don't do escrow. We are an online money services business that facilitates the payment process between merchants and customers, between affiliates and business partners, and between friends and family. If we were really involved in this transaction, we would have processed a "legitimate" payment between the two parties, not hold a truck in escrow.
- Mr. V sounded very friendly. When someone with whom you are doing business is overly-friendly and is taking a financial hit for your benefit, like selling you their high-value souped-up monster truck for a very low price, something's rotten in Denmark. In other words, run.

As the story reveals, social engineering is any attempt made by a person to manipulate another person into giving them something they want. Many skilled social engineers know every button to push to get the desired response. They know what to say, how to say it and how to cover their tracks.

Luckily, there are ways to avoid being scammed through social engineering, the number one being EDUCATION! Learn everything you can learn about this subject and question everything. Like Kevin Mitnick says, old-fashioned manipulation trumps the most highly-secured system -- social engineering cannot be stopped by technology alone. You have to use your common sense and critical thinking to prevent social engineers from manipulating you.

On a concluding note, check out this YouTube video from the last HOPE (Hackers of the Planet Earth) conference in 2008. It features some interesting info on social engineering from hackers who are very familiar with this "art of deception":



Helpful resources:

- Online Shopping Safety Tips

- Creating Strong Passwords

Image: vichie81 / FreeDigitalPhotos.net