Social Engineering? Not on my watch

Social engineering is a method used to get confidential information through manipulation. It is usually done in order to commit fraud, gain access to a computer and is generally fueled by the incentive for money. 

Social engineers will meticulously research their target so they know exactly what to say in order to deceive you. If the target is a large company, they will pretend to be an employee and try to deceive a “co-worker” into allowing them access to files or into a company computer. 

Social engineering occurs for a variety of reasons- it could be directed at a specific company or person, it could be a random attack or it could even be part of a game. Whatever it is, you do not want it to put you and your customer’s information at risk. 

The reason why social engineering is successful is because the engineer uses techniques that will make you trust them. They make up elaborate stories or personas that you would have no reason to not believe. Then, through what seems like polite conversation, they will have you relinquish sensitive information that can put you or your company at risk of identity theft or a data breach. 

The following is a transcription of a part of the conversation between me and who I believe to be a (beginner) social engineer:

Earlier this week, I got a call from a man claiming to be from “Social Alliance Vancouver” telling me my business has won the “Best New Business in Vancouver” award. He continued on saying that my business would be featured on Facebook, Twitter and Google which would bring me a lot of business.

I told him that we were quite capable of posting Tweets on our own, but thank you kindly.

Alas, he continued, “what type of services does your business provide mam?”

I respond, “well, seeing as how you awarded my organization the prestigious award of ‘Best New Business’, don’t you already know?”

“Yes, of course! You install security alarm systems.”

“Affirmative. We are the Canadian Identity Theft (and security alarm system) Support Centre. Sounds about right. Now tell me about yourself, sir… are you in need of a new alarm system?”

He then hung up on me.

This example clearly shows an inexperienced social engineer, who with a little bit of questioning was turned off track. Most of the time, these people will give up as soon as you present any resistance because it really is not worth their time to follow through. However, if it is a targeted attack on your business, the engineer will most likely be a lot more deceptive, charming and ready to tell you anything to get you to relinquish the information he or she wants.

What information do social engineers want?

Social engineers want as much information they can get about your business, and the more you give them, the more they will ask for.

They usually begin with friendly chatting, keeping up a light conversation to put you (or your employees) at ease. They will then ask questions such as, “can you verify your address, I see you are located on Broadway in Vancouver?” At which time, your trusting employee will correct the misinformation and ultimately divulge the correct address.

Eventually, they will steer the conversation towards getting information. They may direct you to a website and get you to download a (most likely malicious) file, or ask you directly what they want to know.

The information they may want could include: computer passwords, full names of employees, SIN numbers, salaries or anything related to wages, account numbers , among many of pieces of sensitive information.

Preventing Social Engineering from putting your business at risk

If you are concerned about social engineers defrauding your business, consider the following advice:

• Train all staff members (especially those answering emails and phones) on what social engineering is, what people may ask and how to tell if a social engineer is on the other line.

• Determine what information is okay to be released to the public, ie: will you be publishing your address, name of employees and salary information?

• Create an action plan for dealing with data breaches. Sometimes these breaches are difficult to prevent, so it is better to be prepared just in case.

• Inform employees on the distinction between being helpful and overly helpful. The main way social engineers are successful is to prey on someone’s trusting nature.

If you would like assistance training your employees on how to avoid data breaches through social engineering, contact CITSC to sign up for an informational seminar.

Technical support scam warning

After receiving a call today from a man concerned that is mother had become victim of an online scam, I did a little investigative work to check out the source of his troubles- Live-Technician.

In general, I find that if people are suspicious enough about an email/website/phone call/travelling salesman (or an offer seems too good to be true) to call the Centre in the first place, it most likely is a scam. 

But, just to confirm I first called the hotline (1-866-216-8304) and very bluntly asked them if indeed they were a scam. The operator told me that she would be able to answer my question once I gave her remote access to my computer. Politely, I declined and asked her more about her services.

She then hung up on me. 

To find out more, I looked through the website, checking out what they offer along with any other information that would lead me to know for sure whether or not they are a real company.

From the blog that was clearly inserted into Google translate to the unsecured login page and the “free” yearly service that costs $239.99, I determined that it was a scam.

This is how the scam works:

The problem starts when a victim becomes concerned about a technical problem with his or her computer-It could be anything from a printer malfunction to a blocked email address or a threat of a virus. The victim then Googles whatever their problem may be in order to find a solution. Instead, what they find is a link for technical support that claims to fix whatever problem you may have through remotely accessing your computer. 

Remote access allows the ‘support person’ to make changes on your computer- including accessing your files and downloading viruses. This tool is extremely helpful if the person is professional and trustworthy, but potentially dangerous if they have other motives.

There are several ways scams like these make money: 

1)      This “service” in particular charges over $200 to remotely access your computer one time and offers a yearly subscription for unlimited access for products that normally cost less than $50 per year.

2)      Once your computer has been remotely accessed by a fraudster, they can steal any information you have on your computer including: private work related information, banking information, passwords, photos and other information you definitely do not want accessed by a stranger.

Come to think about it… perhaps Carly Rae fell victim to one of these scams…

3)      Once the fraudster has gathered your personal information, they can make more money by selling it online to a third party.

Here are a couple ways to discover whether a website you visited is fraudulent or not:

  

•   Google the name of the company and the tech support number- If several links come up promoting the website that are from blogs, forums or any other site that is free or easily built than it could be fake.  Try typing ‘scam’ after the name and see if anyone else has reported problems with the company.
•    Read through the website- does it seem as though the writing was translated through an online translation tool?
•    If there is a section of the website that requests that you log in, look at the address bar. The address should begin with ‘https’ beside a symbol of a padlock. These features indicate that it is a secured website and is safe to access.
•   Hover over any links provided on the website. If they lead towards a social media account with no content and a few inactive followers, it could be a sign of fraud.

The risk of identity theft increases significantly when others access the information stored on your computer. Allowing someone to have remote access to your files is like giving your car keys to a stranger. Avoid this at all costs and if you ever need technical support, go through an established and reputable business.