Social engineering is something that we’ve all done, whether we’ve realised it or not.
When we were children it’s likely that we played one parent off against the other to get our own way, telling each that the other had said we could do something we couldn’t – like have another packet of crisps. Fast-forward a little bit and you’ll remember telling your teachers that your dog really did eat your homework. For most of us, it stopped there. But only most of us…
I want to tell you two stories, both of which use social engineering but for two completely different reasons.
Getting a free dinner when being ‘stood up’
I’m not one to turn down a free dinner, but I wouldn’t go as far as Kyle Baldinger did to get one.
Long story short: Kyle saw a tweet that said “If you go to dinner alone always ask for a table for two. Look sad as you eat and you almost always get a free dessert”.
So, he thought he’d give it a go, and live-tweeted what happened.
[Warning: long image]
If you’d rather not read the whole thing, the short version is that Kyle bagged himself a free dinner after fooling a restaurant into believing he was stood up.
Walmart employee fired for stealing money keeps uniform and steals another $30,000 from three other Walmarts
Yeah, that happened.
A 17-year-old male from Oklahoma was fired from his job at Walmart for stealing money. Rather than considering himself lucky that he got away without being charged, he put his uniform back on and stole $30,000 from three other Walmarts by pretending to be a general manager from another store.
As he was in uniform and was wearing the company’s name tag, no one doubted him. He claimed he was carrying out an inventory of the stores before an inspection after the holidays, but surveillance cameras caught footage of his real purpose: according to a police report, when the boy was alone in the cash room, he took several bundles of banknotes and stuffed them into his pockets.
Good people don’t do bad things
Both stories are different in terms of motive and technique, but they both share common aspects – confidence and plausibility.
If you don’t seem like a bad guy, then most people will assume that you’re not – and this is a problem. If a man you didn’t recognise was knocking on your locked office door holding a coffee cup in each hand, it’s very likely that you’d let him in without checking his credentials – don’t pretend you wouldn’t. Bringing coffee to an office isn’t something bad people do, and that’s what makes it the perfect cover.
The reason you’d open the door for him is that the situation explains itself. You’d assume that he needed to be let in because his hands were full – not because he didn’t know the door’s security code – and that he must be meeting someone as he had two cups, not one.
It reminds me of a couple of lines from the movie Matchstick Men:
Lohman: You don’t seem like a bad guy.
Cage: That’s what makes me good at it.
What can be done?
It isn’t easy to protect your organisation from social engineering. Humans are naturally collaborative and tend to help others, which is why confidence tricks continue to work. Certain technological solutions can help rebuff attempts to take advantage of your staff, but the best solution is to train your staff to be more sceptical.
Social engineers will expect to be questioned and will have prepared answers, so it’s unlikely that your staff will be able to uncover anyone by asking questions other than “Can you prove who you are and why you’re here?”
Sure, it may be awkward to challenge someone so directly, only to find out that they’re your senior, but they’ll understand why they’re being asked.
IT Governance offers an Employee Phishing Vulnerability Assessment which will help you establish whether your employees are vulnerable to phishing email attacks, a very popular social engineering technique.
Next week, I’ll be writing about other techniques that are used in social engineering, and the stories are magnificent.
Subscribe to our Daily Sentinel below to ensure you don’t miss out.