Just as there is nothing “social” about social distancing, there is nothing social about social engineering. We could easily call it anti-social engineering, since this is practiced by cyber-criminals and sociopaths to separate us from our personal information or our money. A more common term would be scam or con.
These bad actors are masters at playing on our emotions. When I teach a cybersecurity awareness course, I advise people to recognize a social engineering exploit by being conscious of changes in their emotional state. We all have a “normal” emotional state that we use at work or at home that I will suggest is usually a neutral or logical state of mind. A good scam, when it comes into your inbox as an email, or on your phone as a call or text message, is designed to move you from your normal, logical, or neutral state of mind to something more energetic, such as concern, fear, anger, surprise, or even happiness (think of dating scams). A well-crafted scam will play on several emotions simultaneously. If you are suddenly feelings emotions like those below, you might just getting scammed.
- Fear. Probably the most widely used emotion, since fearful people can be convinced to do all sorts of things in the heat of the moment that they regret later, when sanity has returned.
- Anger. Number two on the emotional hit parade is anger. Again, when you are moved from a rational frame of mind to something irrational, such as anger, it is easy for a scammer to convince you to make decisions that are not in your best interest.
- A sense of urgency. You must act now! Time is running out! Police are coming to arrest you, your utilities are going to be shut off, or this is a special limited time offer.
- Scarcity. This is closely related to a sense of urgency. There are only a few remaining, act now before they are gone.
- Authority. Your boss sent an email that demands immediate action, such as the wire transfer of money, or the immediate payment of a “past-due invoice.” Often this emotion is coupled to the hijacking of the email account of the authority figure. Or it is a scammer pretending to be an official from the IRS, Social Security, the electric company, or even your own IT support team. The use of authority is another popular method used to override common sense or logic.
- Love and happiness. One of the top cyber-crimes is what the FBI terms “romance fraud.” Finding true love or a “soulmate” online is fraught with danger, both emotional and financial. Be wary if your new love starts asking for financial assistance, loans, or presents you with sure-fire investment schemes.
- Reciprocity. This is where the scammer makes some small concessions to you in order to get a bigger concession in return. Often part of an advance fee fraud, where the scammers asks you for a good faith deposit of money in return for a much larger sum that never materializes.
- Greed or luck. This emotion plays on or fantasies of instant wealth, luck, or good fortune. Part of nearly every financial scam where you are assured that riches lay right around the corner.
- Helpfulness. In this scenario, the criminal plays on your better nature by asking for your help. There is a sad story, and things would be so much better if you would just help a little. Sometimes these scams take place in person, or over the phone. The bad actor may be displaying emotions of their own by crying or making a fuss.
My advice to you is to slow down, and take a breath. Disengage. Hang up the phone. Learn to be skeptical. Show that email to a co-worker, friend, or family member. Wait a while, does this seem at all likely, now that you are emotionally disengaged again? If the call or email is from a supplier or company you do business with, log into your account using your usual method (NOT using the provided link) and check their claims. If there is an email request for money or anything else that looks like it came from a legitimate account, take a moment to confirm the request by phone.
Be aware of changes to your emotional state that are early warning signs of social engineering.
Share
JUL
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com