We are living in a world where trickery is running rampant and social engineering has cost everything from jobs and relationships to billions of dollars in damage to large corporations. And I hate to break it to you, but the person you recently met on a dating site didn’t really save a baby and kitten from a burning building even though their profile picture depicts such.
Social media has become a breeding ground for deception and it is important for individuals and organizations to understand the seriousness of social engineering and find ways to prevent being duped.
Infamous con artist Henry Oberlander, who British authorities say could have singlehandedly undermined the entire banking system of the Western world, had one rule: Everyone is willing to give you something, they’re ready to give you something for whatever they are hungry for.” And, according to Pamela Meyer, author of Liespotting, “If you don’t want to be deceived, you have to know what you’re hungry for.”
Looking at social media in particular, where information about certain individuals is readily available, the art of social engineering becomes much easier. You can see what interests people have, aspirational posts about what they wish they had, and the list goes on. Simply said, the more con artists know the more they can use against you, which is what makes social media so dangerous.
Let’s look at a few examples of deception on social media ranging from innocent to extreme:
According to my research, one of the most deceptive areas of the internet is on dating websites where people go for a specific purpose, have a desired result in mind, and ultimately portray themselves in a way that hopefully produces the result they seek. This leads to very selective sharing of photos or even doctored photos, personal information that’s been highly exaggerated (i.e. someone was not a Navy Seal but instead part of ROTC during high school), and more.
There are instances where people post content to make it appear as if they’re at a specific place or engaging in an activity at a particular time, however it couldn’t be farther from the truth. This can range from someone that’s lonely and home alone wanting to show their connections that they’re out on a Saturday night to a killer posting images geotagged at certain locations so they [hopefully] have an alibi and some reasonable doubt is erected. The possibilities are endless.
The reasons for wanting to impersonate an individual or organization can vary greatly with some being focused on damaging reputation while others seek monetary gains. Earlier this year I attended the Campus Safety Conference in Los Angeles and learned about how students are creating fake profiles for the sole purpose of defaming fellow students for a variety of reasons (a digital way to attack a bully, to get revenge on a classmate that stole Sally’s boyfriend, etc.).
Recently Soteria Intelligence was able to identify, research and report a social engineering scheme where an executive from the Royal Bank of Scotland, Sir Sandy Crombie, was being impersonated on LinkedIn. The faux account was fully populated and appeared authentic on the surface, and was connecting with influential, senior people from all walks of life. Once connections were formed, the below message was sent:
As you can see from the message, the impersonator is clearly not a highly educated executive from the Royal Bank of Scotland and the context is very questionable. However, this individual was able to form nearly 200 connections with real executives in only 12 hours. This shows how even the most elementary schemes can produce results. How many people actually emailed him? It’s difficult to say, especially since we shutdown the scheme within 24 hours.
In another case where social engineering played a key role in damaging a company’s reputation, Soteria Intelligence profiled individuals making threats on Twitter aimed at Delta Air Lines, formed a connection to hacker groups, and predicted a cyber-attack would take place in the near future. Three weeks later, through social engineering, they gained access to Delta’s Facebook page and posted phallic images and X-rated commentary.
For more strategic, high-level social engineering plots it will usually take a trained eye to spot deception, but not always. Know what you’re hungry for and how you can be manipulated as a way to prevent it from happening.
I suggest all companies educate their employees on social engineering as a way to protect assets, personnel, and brand reputation.