Information, power and money make the world go round, and many people are willing to engage in duplicitous – and sometimes admittedly creative – methods to acquire these. Malicious actors often use social engineering to target corporations in an attempt to bypass physical and IT or information security measures by way of pretext, deceit and manipulation.
Because of social engineering’s power and potential for abuse, the Federal Trade Commission created the Gramm-Leach-Bliley Act, which encourages banks, securities firms, insurance companies and other financial organizations to safeguard consumer information against pretexting. Pretexting is generally defined as a form of social engineering in which attackers use a fabricated scenario to try and steal their victims’ personal information.
Though traditionally targeted at large corporations, the practice has become more prevalent in individuals’ day-to-day lives. It has the potential to jeopardize our finances, personal information and security. When we undertake a Residential Physical and IT Security Assessment for an executive or private client, for example, we include guidance and recommendations on how our clients can manage the risks of pretexting and other IT scams and mitigate any potential consequences. In fact, as we learn more and more from social engineering plots like those we describe later in this blog, we are increasingly emphasizing information security in our mission to protect what matters.
Attacks Becoming More Common
In the wake of tax season, telephones everywhere are ringing with threats of fines and arrests for unpaid taxes. Phishing emails are flooding inboxes and “too good to be true” connections on dating and social media apps are becoming the norm. Verizon’s 2018 Data Breach Investigations Report (DBIR) concludes that, “Phishing and pretexting represent 98% of social [engineering] incidents and 93% of breaches,” with financial motivation driving the bad actors, who are overwhelmingly members of organized crime. The most common vector for these attacks continues to be emails.
The DBIR also reveals that, while the majority of negative motives in social engineering attacks are financial, espionage is a very close second. In 2013, amid political unrest in Brazil, a member of Brazilian Army intelligence created alias Facebook, Instagram and Tinder profiles to infiltrate activist groups. As a result of these social engineering efforts, and the agent’s flirting with one woman in particular on Tinder, the government imprisoned 21 people. This is another example of how social engineering, particularly pretexting, can have massive consequences.
As the recent conspiracy case against alleged Russian spy Maria Butina continues to unfold, it appears likely that the public will learn that many social engineering methods were used along the way, including social media profiles, which appear to feature Butina on Facebook, Twitter, YouTube, LinkedIn and other sites.
While attempts to gain our trust these days often use technology in some way, good old-fashioned confidence and charisma can still persuade many to bend rules and open their wallets when they otherwise wouldn’t.
Take the recently reported story of Anna Sorokin, a.k.a. Anna Delvey, who taught New York elites a valuable lesson in social engineering. For several months, Delvey frequented the Big Apple’s socialite hot spots, allegedly claiming to be a German heiress while attempting to obtain a $22 million loan to open a Soho House-like private club. Along the way, she forged bank documents and used her confident and charismatic personality to scam several naïve participants to the tune of $275,000 in fraudulent expenses, including a $62,000 trip to Morocco, a private chartered plane trip, a $30,000 hotel stay and other lavish expenditures. Sorokin is currently on trial, charged by the Manhattan District Attorney with attempted grand larceny in the first degree, grand larceny in the second and third degrees, and theft of services.
How to Protect Yourself and Your Organization
The Department of Homeland Security offers the following advice to help combat the growing threat of social engineering. To avoid becoming a victim of a social engineering attack:
- Be suspicious of unsolicited contact from individuals seeking internal organizational data or personal information.
- Do not provide personal information or passwords over email or on the phone.
- Do not provide information about your organization.
- Pay attention to website URLs that use a variation in spelling or a different domain (for example, .com vs. .net).
- Verify a request’s authenticity by contacting the company directly. Do not use any telephone numbers or websites provided through suspicious emails, text messages or telephone calls. Seek out contact information through a trusted third-party.
- Install and maintain anti-virus software, firewalls and email filters.
If you think you are a victim of a social engineering attack, several options are available to you, including the following:
- Report the incident immediately.
- Contact your financial institution and monitor your account activity.
- Immediately change all of your passwords.
- Report the attack to the police, and file a report with the Federal Trade Commission and US-CERT.
As we expand our cyber security capabilities here at Hillard Heintze, we continue to advise everyone to increase their personal awareness of any social engineering plots, particularly those convincing ones involving pretext. If one remains vigilant and aware of potential schemes, it is possible to traverse the digital world without falling victim – or even funding a fake heiress’ private flight to a New York jail, albeit via a brief, lavish trip to Casablanca or Monaco.