Cyber criminals don't always need a keyboard to hack into your bank account or company network. In fact, a lot of attacks start with a simple phone call. Typically, the attackers are either trying to get information out of you or to make you do something. This is a technique they call social engineering.
I've read a lot about social engineering over the years, since it's a personal area of interest. It can be used by a bunch off different occupations, such as FBI interrogators, con artists, sales reps, performers and - yes - marketers such as myself. (I hope this won't stop you believing me!)
I've used and spotted social engineering techniques here and there over the years, but it never truly hit home about how vulnerable we all are until I sat in on a few calls in the Social Engineering Village at DefCon, organized by Chris Hadnagy over at social-engineer.org. I watched three volunteers phone into Fortune 500 companies - a large computer manufacturer and a giant selling household appliances. The volunteers had to elicit 40 pieces of information (called flags) from the targets in 20 minutes, using only publicly available information to start with. Flags included seemingly inconspicuous things like their browser and version, their physical security company, where they typically go for lunch, and getting them to surf to a specific website. I was floored when one smart lady did it not once, but twice in 20 minutes - simply wrapped in pleasant conversation. Once a malicious attacker is armed with this information, it won't take long for them to breach the network.
So how can you avoid getting social-engineered? Here are some tips for you:
- Don't divulge non-public information: Especially if you don't know the caller and it's an incoming call, don't disclose any information on the phone that the caller couldn't also get from a public record such as your website. If they ask something you're not comfortable sharing, stay courteous and ask them why this piece of information is important to them. If in doubt, check with your manager or your security officer.
- Don't trust referrals given by the caller: Often, social engineers will call around a company and ask who's the best person to speak about a certain topic. Your colleagues may point them in your direction. When they call you, they'll say "Linda said you'll be able to help me with this." Don't assume that Linda knows the caller or that she has vetted him. Call her and ask her how well she knows the caller.
- Get third-party confirmation: If someone calls you, ask them about the company they're calling from, google the company and call them back. Don't take the number they give you as proof - do your own third-party research.
- Don't trust Caller ID: Caller ID is great to let you know who's calling, but it's really easy to spoof a number. It's easy and cheap. Don't believe me? Try it out for free in 5 minutes on http://www.spoofcard.com/
- Don't make exceptions just because you like them: Social engineers know what it takes to make you like them. For example, they will claim to have things in common with you. "Oh, I also went to Cornell. I had such a great time there!" They may even research some of your background on Facebook, Twitter, and LinkedIn to claim these commonalities before you even mention them. Another great way to build the relationship quickly is if they do you a favor and you feel you have to reciprocate. You may feel like a jerk doing it, but you can politely decline to return the favor and feel better - and safer - afterwards.
- Don't blindly follow their instructions: At DefCon, I also watched Kevin Mitnick, a well-known social engineering expert, do a live call on stage. He had permission from the company to call 5 of their employees. The first three calls went to voicemail, the fourth one picked up. Pretending to be a colleague from the HR department, he said that the employee had to approve the new health & benefits small print. Kevin got the user to type in a URL in his browser and to accept a Java applet to run on the machine. At that moment, the audience saw the user's computer connecting to the presenter's computer, giving the presenter full control over the user's machine - unknown to the user. Remember this story next time someone asks you to type a URL into your browser or type something in the command line.
- Urgency and bad things: The previous example also serves as another great lesson: Social engineers often tell you to do something to avoid a negative outcome. "Enter the link or you won't get this week's paycheck. You have to do it now, because our cut-off is in the next 90 minutes."
Social engineers don't restrict themselves to the phone but also use faxes, letters, email, or show up in person at one of your offices, so be on your guard!