California State University, Los Angeles
Social Engineering 101
What the thieves don't want you to know
Thieves steal stuff -- money, jewelry, just about anything. Maybe
information or unauthorized access to campus systems. But it
takes a real "artist" to exploit people’s basic characteristics,
such as willingness to trust, being helpful, and wanting a good
bargain. People who use these admirable traits to manipulate others are
called con or scam artists, and "social engineering" is the name
for the techniques and tactics they use.
Today social engineering is more sophisticated than ever because so many new tools are readily available. E-mail, spyware, telemarketing, print and broadcast advertising, direct mail campaigns, and phony Web sites are all in the con artist's bag of tricks.
How do the scammers get away with it? The key to their success is victim participation. Here’s an example using a low-tech method: personal contact.
Professor Rhodes is grading final exams when a nicely dressed young man enters the office, a campus ID card clipped to his collar.
“Excuse me,” he says, fumbling with manila folders. “I’m Ed from Payroll. We’re cleaning up some things before the Chancellor’s Office audit starts next week. We noticed that your file is missing a W4 form. It would be great if you would take a moment to fill this out. You’d really be helping me out. It will just take a second.”
Dr. Rhodes gladly obliges and gives the form back to Ed. It contains the professor’s first and last name, Social Security Number, home address, marital status, and signature. Ed smiles and says thanks as he goes off to find the next professor.
Professor Rhodes wanted to help the campus do well in the audit, and trusted Ed because he was wearing a campus ID card. But, “Ed” isn’t his real name, and his ID card is a fake. He timed his visit when he knew faculty would be busy grading finals. He "social engineered" the situation perfectly. He can now sell Dr. Rhodes's personal information, or steal it for himself.
Same Technique, Different Methods
Ed’s method of suckering people in person is time consuming and risky. Instead, he could use the same techniques on a massive scale. While everyone won’t take the bait, enough will to make it worthwhile. Ed has many methods to choose from:
- Telephone: Unless you recognize the voice, you have no way of knowing who is on the other end of the line. You may be asked any number of questions that would reveal enough information so a con artist could carry out a scam. For example, where someone’s office is, the IP address of a server, if your boss is on vacation, what someone’s private number is, what usernames and passwords you or your department use, what times you are away from you office – all these things could help a scammer.
- Telemarketing Scams: Callers offer you a terrific discounts, spectacular prizes (you only have to pay shipping and handling), or opportunities to donate to a worthy cause. All the offers require the victim to send a check, or even better, to recite their name, address, credit card number, card verification value code, and PIN number. Think what a con artist can do with that information!
- Direct Mail: Offer letters or materials that look professional and legitimate are mass-mailed. Get a new mortgage for half the finance charges you are now paying. Buy a satellite radio and get a global positioning system free. Contribute to a political campaign or charity. Whatever the offer, the victim must send money or personal and financial account information.
- Print or Broadcast Advertising: Like the direct mailings, these ads look legitimate. And the offers seem too good to pass up. Just send a check or money order – or better yet, your credit card information – and you’ll get the deal of a lifetime.
- E-mail – Spam: Electronic junk mail -- spam -- increasingly finds its way into potential victims' e-mail inboxes daily. It's cheap and anonymous. Spam takes many forms, but unlike direct mail, the scam can be more difficult to detect. A virus may attach itself to a graphic or text file contained in the spam message. Clicking on a link may trigger the downloading of a virus or spyware that might allow unauthorized access to the user's computer by a third party. The scammer can then monitor keystrokes and Internet browsing patterns, read data, gather data and personal information, and/or gain control of the user’s computer. The information collected can be sent to advertisers or others -- all without the user’s knowledge or consent.
- Phishing and Spoofed Web Sites: An equally dangerous type of spam is known as phishing, pronounced “fishing.” These e-mail messages look genuine, but they are “spoofed.” They contain the logo and contact information of legitimate businesses, charities, or agencies. The recipient may be offered a deal, asked to update bank account information, or given a warning about an account. The scammer hopes the victim will click on a link in the message and be taken to a Web site that certainly looks legitimate, but is not. At the spoofed site, the victim may enter his or her personal and/or financial account information, including passwords.
Don’t Take the Bait
Don’t fall for social engineering tactics – don’t be manipulated. Con artists cannot run their scams without your participation. What should you do to avoid being a victim?
- Know how business is conducted – at the University, your bank, and your place of employment. Be suspicious when anyone’s request for your personal information is out of the ordinary.
- Be skeptical. If an offer sounds too good to be true, it probably is.
- Do not provide personal or financial information when it is solicited by telephone, e-mail, direct mail, or in person when the requests are unsolicited.
- Do not respond to telemarketing or direct mail campaigns. If you want to make a purchase or donate to a charity, first find the legitimate contact information, and then initiate the transaction yourself.
- Verify that businesses that advertise in print and on broadcast media are legitimate before you respond to their ads. Contact your local Better Business Bureau or consumer protection agency.
- Verify a person’s or entity’s credentials before giving your personal or financial information.
- Do not respond, click on any links, or open any attachments in spam e-mail messages. Permanently delete all spam from your computer.
- Be aware. Learn all you
can about scams and scam artists’ methods. Check out these
resources:
- Anti-Phishing Working Group
- Are You Secure? (CSULA information security Web site)
- Better Business Bureau
- Equifax Credit Ratings and Reports
- Experian Credit Ratings and Reports
- Federal Trade Commission: Facts for Consumers about Telephone Scams
- Federal Trade Commission Avoid ID Theft Web site
- National Fraud Information Center
- Scams on Snopes.com
- SecurityInfoWatch.com
- Transunion Credit Ratings and Reports
- United States Secret Service
The human factor is the weakest link in the information security chain. Remember, without your participation social engineering doesn’t work. Always be cautious, careful, and security conscious!