You may have heard of this method in the news before. Whether it is a phone call with your IT help desk, an IT technician watching you on your computer, or a wandering cyber threat roaming your office environment, social engineering poses a risk to everybody. Social engineering is a technique in which your digital security can become compromised via social skills and methods. It is a technique that many cyber security analysts have a hard time preventing, since it isn’t a deficiency in physical or IT security but rather cultural and personnel security. Many forms of social engineering involve some form of deception, impersonation, and exploitation. To showcase how subtle a social engineering attack can be, I will provide an example of social engineering at work.
Suppose there is a female hacker named Mary trying to obtain access to somebody’s (I will call him Joe) phone account. She has already ascertained that Joe uses AT&T as his cell phone provider because she has overheard him complain about service coverage in the local area. Mary contacts AT&T customer service and is connected to a very helpful and relatable AT&T associate, Tom. <Mary>: *Dials AT&T customer service line* <Tom>: Hello, this is Tom with AT&T Customer Service. Thank you for reaching out. May I please have your first and last name? <Mary>: Hi! *stutters over the phone, pretends to be short of breath* I’m so sorry. My husband Joe wanted me to call customer support about adding our daughter to our account? My name is Mary. <Tom>: OK. I am more than happy to help you with that, Mary. Can I have your account number? <Mary>: Oh… I don’t think I have it on me right now. Joe never lets me see the bill, he’s always trying to take care of things for me! I’m sorry, I’m just a bit overwhelmed at the moment! The baby and the bills… *plays an audio clip of a crying baby in the background* Oh no, I think that’s her again… <Tom>: That’s okay, Mary. I can search for the account via phone number too. <Mary>: Thank you so much, Tom! The number is 555-555-5555. *baby in the background still crying* <Tom>: Thank you, ma’am. I will just be a moment while I look up that information. <Tom>: I found the account. Mary, can you just confirm your phone number on the account now? <Mary>: Sure! That number should be 555-555-5556. *baby still crying* <Tom>: Awesome, that matches up! I think I see what the problem is here. Your husband never seemed to have added you as an authorized user. Would you like to get that set up now? <Mary>: Yes, please! *baby continues crying* What information do you need? I think the baby needs me. My name is Mary Walker, the phone number you can put down 444-444-4444, social is 999-99-9999. If you need more info, I will have to *baby crying louder* probably *baby cries in the background* have to try to find it. Might take a while with little Walker over here! <Tom>: That should be all the information I need, Mary. You have a lot on your load right now, this will only be a moment while I add you. Is it a girl or a boy? <Mary>: She’s a girl and she’s the sweetest thing ever, when she’s not keeping me up late at night! *both laugh* <Tom>: OK, I’ve added you as an authorized user, now what can I do for you? *baby still crying in the background* <Mary>: Thank you so much Tom, you’re the best! I just wanted to… <end>
The above scenario is dangerous not because Mary was successful, but because it wasn’t all that difficult. All it took was some starting knowledge that is easy to obtain, the motive to exploit helpful associates, and soft social skills. In the scenario described, Mary was able to become an authorized user on Joe’s account with less knowledge than she should’ve been able to get away with by exploiting the human desire to help others. Additionally, she impersonated Joe’s wife and faked caring for a new-born baby in order to make Tom sympathize with her current plight.
Unfortunately, social engineering exploits the helpful nature of people. Mary purposefully played audio tracks of a crying baby because she knew that it would resonate with almost anybody she would be connected to over the phone. What should normally have been a more involved process requiring additional forms of verification was made much smoother because Tom wanted to help.
In these kinds of situations, the only way to counter the hackers are to be vigilant of these types of attacks. Should Tom have stuck with normal operating procedures, Mary most likely would not have had enough information to add herself as an authorized user. Another reactive measure would be Joe setting up account alerts so that he is always kept up-to-date on any changes made to his AT&T account. Should anything be amiss, Joe would be contacted and he would proceed from there.
In the modern world where technology permeates all parts of our life, it is up to everybody to be more vigilant with cyber security. Passwords and other account authentication measures should not be taken lightly by anybody. Spreading awareness, while it may seem ineffective, is one of the best ways to protect ourselves from many forms of hacking. Even though it is not as technical as some other methods that hackers employ, social engineering is just as dangerous; the more that everybody knows about it, the better we can protect ourselves.