Social Engineering

1. Social Engineering Part IB: How Scammers Manipulate Employees to Gain Information

2. Authority Attack-- Example For example, consider this scenario: • You have been having trouble with your DHS computer workstation. • You receive an email in your inbox that appears to be from the DHS Help Desk. The email asks you to reply with your user name and password to verify that you should be on that computer station. • Something about the email just doesn’t look right to you, so you delete it. 2014 DHS IT Security & Privacy Training

3. Authority Attack -- Response • In this scenario, you did the correct thing by deleting the email. • The email may appear to be from an authority, but DHS technical support will never ask you for your computer username and password. • A Security Incident Report should be filed, so if other employees have received the same email, it can be blocked. 2014 DHS IT Security & Privacy Training

4. Authority Attack • When a request for information is made by a person in authority, we naturally tend to comply. • Even if we don’t know the requestor, we can be convinced to comply with a request if we believe or become convinced that the requestor is a person in authority or is authorized to make such a request. 2014 DHS IT Security & Privacy Training

5. Sometimes It Takes More Than One Time… Sometimes an “authority” attack takes more than one conversation: A person calls you from a phone number you don’t recognize. If you answer with your name, the person will address you by it. If not, the person will use a name, then apologize when he gets the wrong name, like this: You: “Hello, Purchasing.” Him: “Hi, Mary, this is Jim in Accounts Receivable.” You: “You’ve got the wrong person; I’m Linda.” Him: “Sorry, Linda, this is John Smith. It’s being one of those days where I can’t seem to get anything right. You know what I mean.” You: “Sure.” Him: “Hey, speaking of…I’m calling from my mobile because I’m out of the office. Do you know Dave in Accounts Receivable?” You: “No, I don’t know him.” Him: “I need to talk to him and I can’t remember his number or any number down there. Can you give his number to me, or the number for that unit?” You: “I can get their main number for you.” (You read the number to him.) Him: “Hey, thanks, really appreciate it.” (He hangs up.) Him (making another phone call): “Hi, this is Accounts Receivable? I’m Jim Jackson and I need some information. Linda in Purchasing said you could probably help me…” 2014 DHS IT Security & Privacy Training

6. What Happened? • No confidential information was released. • But now the scammer can use Linda’s name in his next communication and can appear to be authorized to make his request. • The next person may give him information he wants, just because he used Linda’s name. 2014 DHS IT Security & Privacy Training

7. Liking Attacks We tend to provide the requested information when the requestor has been able to establish himself/herself as likeable, or having similar attitudes, beliefs and interests as we do. 2014 DHS IT Security & Privacy Training

8. Liking Attack -- Example It is useful for a social engineer to start a conversation with simple compliment questions. For example: “Those are very nice shoes; where did you buy them?” 2014 DHS IT Security & Privacy Training

9. Reciprocation -- Example For example, consider this scenario: Paul: “Hi, this is Paul from Office Depot. I have your order ready. We’ll be sending it to your office this afternoon.” You: “Wait, now. I didn’t order anything from Office Depot. You have the wrong person.” Paul: “I’m sure this is for you. Tell me your full name again?” You: “Gene Carron.” Paul: “Hmm, that’s the name on this order. But if you’re sure you didn’t order something…I think I can fix that. Let’s see…ok, I got that canceled. You won’t be charged for it.” You: “Thank goodness!” Paul: “Whoops, Gene, there is just one more thing I need to get this canceled properly. What is your cost center number?” You: “452145G” Paul: “Great. We’ll just get rid of that order and you won’t be charged for it.” 2014 DHS IT Security & Privacy Training

10. What Happened? • In this scenario, the scammer, Paul, was hoping that the recipient was not familiar with internal procedures – if Gene was familiar with procedures, the scam wouldn’t work with him. He wasn’t, so he gave out information that could have been used to do damage to DHS. • What information was that? The cost center number. • The scammer could take that information, call someone else pretending to be Gene, and use the cost center number to get other restricted information. • Why did Gene give him the information so easily? Because Paul did a favor for Gene by canceling the supposed order. 2014 DHS IT Security & Privacy Training

11. Reciprocation Attacks • We may automatically comply with a request when we have been given or promised something of value. • This tendency to give in return occurs even when the person receiving the gift hasn’t asked for it. • One of the most effective ways to influence people to “do a favor” is to give some gift or assistance that creates a perceived obligation to reciprocate. 2014 DHS IT Security & Privacy Training

12. How It Works • There are even simpler examples of manipulation by reciprocation. This type of manipulation can be as simple as complimenting a person, then following the compliment with a request. • Even something as small as a question can create obligation. • Try this exercise: the next time someone asks you a question, say nothing. Just stay silent or ignore it. • Notice how awkward that is, because something as simple as a question creates a sense of obligation to answer. Simply asking the target a question can lead to amazing results. 2014 DHS IT Security & Privacy Training

13. When in doubt, don’t give it out. 2014 DHS IT Security & Privacy Training