Social engineering has been with us as long as humans have been on the planet. We respond to social stimuli all around us every day. From getting cut off by an aggressive driver to losing money due to a fraud event, even the most even-keeled person will get agitated. Social engineering is a persuasion technique. Creating a message that will connect with someone on a personal level to get a desired response. Successful politicians are masters at social engineering; after all, the ability to get someone to vote for you to control their destiny is a significant sale. Selfishly, we all think “I’d rather vote for myself”.
A politician needs a sophisticated and well-thought-out campaign to get the most votes for an election or gain enough votes from other politicians to pass a piece of legislation (or not). Designing the messaging and identifying the communication channels takes knowledge and insight of the target population.
In more recent history, social engineering has been associated with deception to acquire secret information, which is generally used against the person or organization that is targeted. The latest rash of Vishing (voice or telephone phishing) attacks demonstrates the principle of using the right messaging and leveraging the right channel. The right messaging is a problem with your account and a very effective channel is a person’s voice on the telephone.
Traditionally, fishing for information took place face to face where someone would ask round-about questions on a topic they wanted to know more about. Think about the soft side of interrogation. Of course, an actual criminal interrogation requires some deft and psychological techniques to get an uncooperative suspect to talk.
Pretexting, which became well known during some high-profile corporate investigations, is closer to what we call Spear Phishing. That is targeting a specific individual for specific information that can be used against them or their organization. The extension of Spear Phishing is Whaling, where an executive, celebrity or high-ranking government official is targeted. In comparison, a Phishing email expedition to tens of millions of email addresses is like a swarm of krill. Wait a minute, I just invented a new term: Phrilling.
As consumers have become accustomed to being wary about emails they don’t recognize or expect, the criminals are changing their tactics. Not that the old tactics will go away, just look at your spam filter, but the smart ones are turning over new ground.
Vishing is the use of voice or a phone call in a social engineering campaign—after all, this isn’t just an email. There’s someone on the phone who wants to help me solve a problem with my account and needs information from me to identify myself. ”I’m used to that type of interaction and it sure seems important, at least to them, that they get my information to help me.”
More and more financial institutions are leveraging the mobile channel, or at least trying to figure out how they leverage the mobile channel to acquire and keep good customers. This has opened up a new type of Phishing called, wait for it… SMiShing, which is sending a SMS text message that urges the recipient to call a phone number to solve a fraud problem on their bank account or debit card. In order to solve the problem, the consumer needs to give up information that the criminal can convert into cash.
There has been a rash of these attacks lately. I personally received two different SMiShing texts to my phone in December 2008 – call me an early adopter. Fortunately I recognized them right away since I didn’t have a relationship with either of the financial institutions referenced in the text messages.
If you are a financial institution or organization that is the victim of a SMiShing attack on your customers, there are some steps you can take.
1. Immediately contact your long distance telecommunications provider for assistance getting the phone number referenced in the text message turned off. And keep following up with calls to them until the phone number is turned off.
2. Post a warning on your website so your customers will be aware that the situation is taking place and that they should not respond to the text messages.
3. Contact your local USSS field office and request assistance. Better yet, don’t wait until you have a problem to reach out to them. Get involved in your local Electronic Crimes Task Force meetings so you know exactly who to call when a situation occurs.