The Shadowy Disguises of Social Engineering

Jackie Dana | October 1, 2020

11 min read

We often hear about threats to our online security and assume these are new problems in our digital age. But when you start to examine hacking, phishing, malware, ransomware, and other online threats, there’s something else to consider. Many of these attacks succeed not because of new or flawed technology but instead are thanks to human nature.

Indeed, one of the biggest reasons we cannot completely protect our computers, mobile devices, and online accounts from hackers and other threats isn’t because our technology isn’t advanced enough but because human beings are fallible and tend to want to believe the best in other people, even those we don’t know.

As a result, our humanity means that even the most tech-savvy of us can fall victim to various schemes to gain access to our homes, our bank accounts, our email, and our computers. This is all thanks to a process commonly known as social engineering.

In this article, we’ll examine what social engineering is and some of the things to look out for, as well as basic security measures you can implement to reduce the likelihood of you becoming a victim.

To fully grasp what social engineering means, you need to first consider what is normal or “baseline” for where you live or work. When someone does something that deviates from that baseline, they call attention to themselves.

For example, let’s say you work in a casual office environment with a guy named Bill. If one day Bill showed up having shaved his beard and wearing a suit, everyone would notice him and think he was going on an interview. If he didn’t want to be noticed, he might instead leave a change of clothing in the car. On the other hand, if he just wanted the boss to think he had an interview, changing how he dressed could accomplish his goal without having to lie about it.

That may sound nefarious, but in truth, most of us engage in various forms of social engineering all the time.

Imagine a time when you attended a conference or a party and spent money on clothing or jewelry that you wouldn’t have ordinarily purchased so you could look like you “fit in.” Or maybe you changed your accent or speech patterns—even stopped cursing—so people wouldn’t look down on you. Ever scuffed up a pair of running shoes so they wouldn’t look brand new? Put a sticker on your car proclaiming your support of the police in the hopes of not getting a ticket? These are all examples of social engineering, and most of the time it’s harmless.

The problem is, people can use our expectations for what’s “normal” against us, to scam us out of our hard-earned money, gain access to restricted areas at our workplace, or even steal our passwords and gain access to our digital accounts.

It’s these forms of social engineering that we’re going to focus on for the remainder of this article.

entering credit card data on mobile phone

There are lots of ways criminals use social engineering tactics to commit crimes and fraud. People use our expectations against us, sometimes in remarkable ways.

Imagine someone walks up to you in a store wearing a nametag and carrying a clipboard. You’ll automatically assume they’re an employee. If someone comes to your door wearing coveralls and a hardhat, you’ll probably open the door thinking they’re with a utility company. These are examples of people donning a “uniform” to look like they’re fitting in.

Here’s a real-life example of social engineering at work, and how clever a good scammer can get.

A friend (who gave me permission to recount her story) recently got a call from a local bank. The caller told her he wanted to let her know about potentially fraudulent activity on her debit card, and gave the last four digits of her card number. The caller ID listed the name of the bank, so she knew it was legitimate.

He asked if she had made three large purchases in Alabama, and she quickly said she hadn’t ever been there. He told her there was nothing to worry about, as they would dispute the charges. He confirmed the last four digits of her card and expiration date he had on record and then told her they would cancel the card and send a new one to her via FedEx right away.

She looked up her account while he was on the phone and didn’t see the charges, but he explained that they had already removed them. But then he asked for her PIN, the first piece of information he hadn’t provided. She hesitated, but he reassured her that he was from her bank and even told her she could confirm the number he was calling from on their website. He said he needed the PIN to process the fraud investigation.

When she told him she wouldn’t give him her PIN, he hung up on her.

She then called her bank using a number on their official website and they confirmed that there were no such charges on her account. They canceled her card and issued a new one.

What she experienced is a classic social engineering scam, where the caller had just enough details to make his story sound convincing. He probably started with the information on the card itself, which in these days of online shopping isn’t all that hard to come by. Each credit card and debit card number includes information about the issuer, and since it’s a local bank, he learned what city she lived in. He then likely Googled her for her address and phone number. Then, with a little social engineering, he tried to get her PIN, and had he been successful, he could have then used it to withdraw her bank balance.

social media sites with unlocked padlocks

Many online security threats start with someone poking at your personal digital armor.

If you run a successful blog or online business, if you’re outspoken on social media, or if you’re just unlucky enough to be targeted by someone who wants access to your online accounts.

One of the most famous—and chilling—examples of online social engineering happened to Mat Honan back in 2012.

As a senior staff writer for Wired Magazine, you might expect Honan to be pretty tech-savvy. Yet, due to a string of extremely clever social engineering efforts that involved a hacker making calls to Amazon and Apple customer service, Honan lost access to his Google and Twitter accounts. Then the hacker was able to gain access to his Apple ID and remotely erase all of his Apple devices, though it turned out it was all just a way to gain access to Honan’s three-character Twitter handle.

This is enough to scare anyone. What’s more, hackers aren’t just targeting your personal accounts. If you work for a prominent company, especially one that provides online accounts, health data, or other highly-valued information, at some point you may be targeted by someone trying to access data on your company’s servers.

In an increasingly common attack known as ‘spear phishing,’ these scammers typically send spoofed emails or texts that purport to be from the CEO or other company executive. These messages are designed to prey on either work-place anxiety or our eagerness to please. The scammers’ goal is to get us to click on links or provide information that could compromise our work accounts or innocently give away customer data.

For a recent example, Twitter was the victim of a high-profile hack in July 2020 that allowed a small group of individuals to gain access to the accounts of 130 Twitter users. According to the New York Times and the highly-regarded Krebs on Security blog, the hackers hijacked the accounts of highly desirable usernames (much like Mat Honan’s in the earlier example) that they sold for Bitcoin. They also targeted several celebrity accounts, tweeting messages encouraging the celebrities’ fans to help in fundraising efforts by sending money to a charitable cause—money which actually went right to the hackers.

While the incident is still being investigated by law enforcement, according to Twitter’s official statement,

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools.

Social engineering happens all the time, and at some point all of us will encounter someone who is trying to manipulate us for nefarious purposes. Here are some tips that can help guard against the most common attempts.

Always verify. If someone comes to your door, always ask to see photo identification and a work badge. This includes people wearing official company uniforms or even police officers. Ideally, they should show you this identification before you even open the door, but always demand it before allowing them into your home or yard. And if they contact you by phone or email, reach out directly to the company directly and verify the request before you give out any information.

Use strong passwords. Sometimes the first point of entry will be an account with an easy-to-guess password. For example, if you have pets or children, using their names as passwords is a very bad idea. If you’re always bragging about KittyCuddlePants on Facebook, for example, a hacker might very likely try your cat’s name when attempting to gain access to your email account.

Have a unique password for each online account. If you use the same password on your Gmail account that you use for an online game, guess what? When that game database gets hacked (and websites are hacked all the time), the hackers now have access to your Gmail account… and that’s bad news.

Enable two-factor identification. This is an easy step that will largely shut down efforts to compromise account safety. By locking down your online accounts using both a password and a prompt to verify your identity with a mobile device (or computer dongle like YubiKey), you make it very difficult for a third-party to gain access. (FYI, Namecheap offers our own two-factor authentication to protect our accounts.)

Protect your email and social media. As Honan’s story above demonstrates, your email (especially Gmail, since it’s tied to your Google account), Apple, Facebook/Twitter/etc., Amazon, and other major website accounts are prime targets for hackers. Worse, because we often use one account to access another (that ever-so-handy “log in with Google/Facebook” option), if someone can compromise one account, things can easily snowball from there as hackers slowly accumulate information about you and gain access to increasing numbers of accounts.

Don’t give out passwords to anyone. Generally speaking, you should never give out a password or banking PIN to a customer service agent or contractor. (There are a few exceptions to this rule, including when someone needs to transfer data to a new hosting platform or build your website, but you should change any account passwords after they’re finished.)

Never give out personal information to someone who contacts you unexpectedly. Be on the lookout for unexpected phone calls or emails purporting to be from places such as your bank, hosting provider, credit card company, or a government agency such as the IRS. Keep in mind that caller ID isn’t enough to verify, either—phone numbers can easily be spoofed. If you ever get contacted and it doesn’t feel right, end the conversation immediately and call the company back yourself to verify that the request was legitimate.

Conclusion

We know that the topic of social engineering can be a bit scary. Rather than avoid talking about difficult subjects, we at Namecheap believe it’s important you understand how these things work so you can take steps to prevent them happening to you.

For even more ways to protect yourself, check out our other articles on five ways to protect your website against social engineering attacks as well as how to guard against efforts to undermine your social media accounts.

And if you or anyone you know has ever been a victim of a social engineering scam and want to share what happened to you, we’d love to hear about it in the comments. Once these things get exposed and we all become aware of them, it’s harder for the scammers to get away with it again in the future.