Social Engineering: How to Beat the Bad Guys

A Well-Educated - and Wary -- Staff is Your Best Defense
Social Engineering: How to Beat the Bad Guys
Earlier this month, a criminal posed as Barclays Bank chairman Marcus Agius to get a Barclaycard from call center processing staff. Armed with the new card, he then walked into a London Barclays branch and withdrew 10,000 pounds. The criminal may have obtained personal details about the chairman online to get the card. Barclays said that the fraud was able to be perpetrated because of human error, and that security procedures were not followed.

Around the same time, employees at two Washington, D.C. area banks turned over more than $850,000 to a man impersonating a cash courier. Dressed in the same courier uniform, complete with badge and a holstered gun strapped to his waist, he told employees he was 'filling in for the regular guy.'

These are but the two most recent and public examples of Social Engineering - one of the oldest and boldest security threats. The crime is timeless, but as the above examples show - it isn't going away anytime soon.

Among the leading causes of Identity Theft, Social Engineering revolves around getting the employee or customer to do something that they're not supposed to do, or "bending the rules" just once to allow someone access to a document or account.

Social Engineering ploys lead to electronic theft of sensitive information, which is a leading cause of certain types of fraud, including credit card, debit/ATM card and bank account transfer fraud.

"All sensitive electronic data needs to be protected, but institutions should be aware that the low hanging fruit for the criminals is electronic card and checking account numbers, as well as user IDs and passwords for online financial accounts," says Avivah Litan, distinguished analyst at Gartner.

A Scam by Any Other Name

Years ago, a social engineer may have been named a con artist, flim-flam man or a grifter. They've been around for a long time. The common denominator is that social engineering, grifting, and the con game all require that the criminal understand how people work and, more importantly, that they understand human vulnerabilities, says Dr. Eric Cole, an independent information security expert and author.

One of the reasons hackers are so good at what they do technologically is that they understand how computers, software and networks work, and, in turn, they can learn what their vulnerabilities are. The act of Social Engineering is probing an institution's vulnerabilities on the human side.

"As long as there are people, Social Engineering will be the number-one path of choice that criminals will go down chasing data and money," Cole says.

No matter how Social Engineering is described, it is a practice of gathering reconnaissance on targets that will increase the chances of accessing desired information that can be used to bypass security measures and ultimately compromise the targeted computers and networks.

Tricks of the Trade - and How to Foil Them

Despite the perceived technological sophistication of those we call crackers (and, less accurately, hackers), even the most technologically sophisticated cyber criminals will try to gain unauthorized access in the easiest ways possible.

The successful social engineer relies on a toolbox full of tricks that can hack away at the psychological traits we all share. These traits include human desires to be:

  • helpful or friendly
  • competent in our positions
  • trusting of other people
  • advancing our own cause and career
  • attractive to those we admire or desire
  • perceived as a team player
  • avoiding bad consequences for ourselves or others

But bad people are bad people, and they will want to exploit an employee's goodness. Your employees should routinely verify:

  1. With whom they are talking and,
  2. That they are entitled to the information they are requesting.

"Your employees should be absolutely sure of this," Cole notes. They should be encouraged to think carefully and, when in doubt, take a message and check with a supervisor.

When designing Social Engineering training for your institution's employees, Cole suggests:

� Focus on solutions, not a laundry list of "Don'ts"-- This means don't say no, don't say don't respond to emails or phone calls. People will respond to emails and speak on the phone. You must figure out a creative way for them to answer securely.

� Tie in personal responsibility of employee -- "Show why responding the wrong way has personal liability for them; make it personal to them," Cole says. While many employees will embrace the security awareness message you're giving them, there will always be the employee who says 'so what if my senior management doesn't get their bonus this year?' "Those are the ones you'll want to focus in on and hone the personal responsibility angle," he says.

Growth Category: Spear Phishing

One specific Social Engineering crime on the rise is spear phishing - the act of targeting phony emails to one specific institution. "What I'm seeing from working with law enforcement is that these attacks are increasing," Cole says.

In these scams, criminals are actually harvesting PowerPoint presentations and other data from the web that look legitimate and then they are sending them out to their selected targets at financial institutions.

The scenario: You are working on a project in your institution, and you get an email supposedly from your CEO, asking for information on that specific project, "You're going to send the CEO the information they've requested," Cole notes. The spear phisher who is targeting financial institution employees with this type of attack spends a great deal of time "grooming" and preparing the attack.

What the average employee won't know is that the CEO's "special" project was listed in the local newspaper's business section last week, and that's where the criminal gleaned the information. Also in criminals' favor, many email clients now are so user friendly that they don't show header and footer information that would reveal that the CEO email, complete with a "From" entry showing the CEO's email address, actually arrived from an IP address outside the bank.

The Federal Depository Insurance Corporation (FDIC), in particular, is watching current Social Engineering schemes and advises institutions to adequately train staff and users. In one of its regional outlook newsletters, the FDIC recently said "A well-educated staff can help to prevent losses resulting from 'social engineering attacks.'"

Placing appropriate emphasis on IT security at the senior management and board of director's level is the first step toward minimizing system breaches. By establishing effective policies and procedures, boards of directors can promote an atmosphere that addresses critical security areas and establishes appropriate guidelines and standards for all employees.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network