As the use of technology increases, so does our vulnerability. We...
In This Article
Despite what it may sound like, social engineering is not the sort of thing you’d get a degree in from an Ivy League school. In fact, this kind of nefarious so-called engineering is quite the opposite. It could easily be called social reverse-engineering, since it has little to do with building up positive social interactions, and everything to do with deconstructing them for personal gain.
One definition of social engineering comes from prominent Russian cyber security firm Kaspersky Labs. The firm defines it as a category of techniques employed by cyber-criminals, designed to trick unsuspecting victims into disclosing their confidential data, infecting their computers with malware, or opening links to infected sites.
Although it’s certainly true that many social engineering attacks happen on the internet, there’s an equally large risk of falling prey to social engineering outside the digital realm. In a broader sense, social engineering is just skillful psychological manipulation, and it can occur in any interaction between two or more people.
Social engineering attacks often occur over the phone, in the mail, or even during face-to-face interactions. Certainly, protecting ourselves every day while using technology is critical, but in a grid-down or emergency situation, eliminating the risk of someone eliciting personally identifiable information (PII) is the key to protecting your assets and identity. Most importantly, countering these attacks will keep you and your interests safe during a chaotic situation.
If a large-scale disaster were to affect your region, your priorities would consist of keeping yourself and your family safe, fed, and calm until some sort of order is restored. Naturally, during this type of crisis you will encounter strangers whether you’re at home bugging-in, or going mobile to a bug-out location.
No matter where you are, a heightened sense of situational awareness is worth a fortune if employed by all members of your family. When the excrement hits the proverbial fan, the general population becomes more desperate for resources, and will employ tactics like those used on the web to exploit your weaknesses.
Even outside of a disaster scenario, especially brazen criminals may use these techniques to mislead you or take advantage of you.
If you can get your family more involved in the identification and countermeasures to defeat these five types of social engineering attack, your chances of survival will greatly increase.
Gaining entry to a restricted area — whether it’s a home, business, or high-security building — is a desirable skill for criminals. It’s also the first step towards compromising other levels of physical security.
One of the simplest but most effective ways of entering a prohibited area is by tailgating. No, this isn’t just referring to the road-rage-inducing driving technique — it covers any method of closely following an authorized individual to achieve access to restricted places.
This can mean sneaking behind someone who is unaware of your presence, or manipulating and piggybacking an authorized person to gain entry. In countless spy movies, the hero sneaks into the middle of a group of enemies to walk through a checkpoint — that’s an example of this technique.
In an everyday scenario, this may involve a bad guy gaining access to a location with critical telecom equipment in order to plant a harmful device, or someone attempting to steal confidential information. To prevent this, most companies will live-monitor CCTV cameras, install anti-passback systems in their access controls, or just rely on employees to not hold the door for unknown individuals. Sounds easy, right? But what about during pandemonium? How can one prevent someone with nefarious intentions from harming them or compromising their bug-out spot?
How to Defend Against Tailgating:
If you’re finding a safe place to bed down and take shelter for the night, or keeping supplies in a predetermined bug-out location, you must protect the integrity of your hideaway. With limited supplies, this may be difficult, but maintaining high ground, securing a wide perimeter, and memorizing your surroundings can assist in keeping unwanted visitors out.
Try to pick locations with considerable cover, whether it’s in a forest or urban environment. Avoid well-lit areas, and keep your own light signature in mind when traveling at night. Use surrounding material to conceal your hideaway and lessen the risk of blowing your cover.
Whenever you’re mobile, try to keep eyes in the back of your head, and your ears to the ground, figuratively. One thing that could bust your hard-earned cache of supplies or personal safety is a compromise of position. Take stock in your surroundings constantly, and maintain situational awareness. As stated above, keep your personal light signature in mind when traveling after sundown. That being said, if you must use a flashlight to navigate, use a lower-lumen setting or moonlight mode found on most tactical lights. Ideally, 5 or 10 lumens will still allow you to see where you’re going, while still offering you some concealment.
Once you arrive at your bug out spot, tone the lumen setting down even more. If your light has a red light setting, opt for this as it will still allow you to see what is directly in front of you without casting any additional beam around your position. A better(but more costly) solution to operating in low light is to pack a pair of night vision goggles (NVGs). Whichever you choose, make sure that concealment is the number one priority.
In the digital world, a link that looks too good to be true, such as a free cruise or free iPad, can easily trap an unknowing user into a well-laid-out baiting scheme. This technique is often the precursor to something even worse, such as ransomware or malware — both equally scary violations of your digital security. However, these attacks aren’t always so obvious.
The recent ultra-ransomware attacks WannaCry and Petya were prime examples of how many people can be tempted by baiting through a link or random email. These two attacks affected nearly half million users across the globe, and could have been much worse if worldwide media coverage hadn’t alerted those who received suspicious emails, but had not yet opened the embedded links.
Baiting relates seamlessly to a grid-down situation as well. Whether you’re finding a safe area away from the chaos, looking for useful provisions, or generally avoiding danger, getting fooled by a baiting attack can be just as bad as falling for the illusion of a lake in the middle of the Sahara Desert. In a SHTF situation, countering these methods can be just as easy as when you’re browsing the web — although there’s no pop-up blocker or anti-malware plugin to help you detect real-life scams.
How to Defend Against Baiting:
Just like most attacks, general situational awareness can prevent a myriad of incidents. If you see something that you feel could be useful, or that appears curious, look around you before going near the object.
For example, rumors have circulated about criminals targeting individuals in parking lots late at night by placing bait to lure the victim away from their driver’s side door. As the victim steps away from his or her car to inspect the out-of-place item, the assailant could move in and commit whatever act they intended on carrying out.
If you’re familiar with the area that you’re in, it’s best to stay in the parts of town that you know best. Unexpected incidents often happen in unfamiliar places, so sticking to the familiar areas will likely be more beneficial for your own personal safety. If it’s a foreign environment, do your best to stay nondescript and don’t linger. Just like with cyber safety, staying out of questionable websites and avoiding unknown links will promise you more safety than browsing to them.
Just recently, many US residents were victims of a giant telephone phishing scheme by a group of unknown social engineers who attempted to steal large amounts of money. These hackers would call their targets and claim to be the IRS, stating the individual owed the federal government funds due to a tax audit, or mistake in back taxes. This scheme is still active, and has worked frequently over the past year. Even worse, many different forms of it have popped up from copycat hackers.
Just like on the web, phishing can be dangerous in the real world as well. During a grid-down scenario, unsavory characters may attempt to slyly elicit information from you regarding your past, your profession, and even personal notes like marital status. These pieces of information, as trivial as they may seem, can all be used against you in some way or another. Now, this doesn’t mean lie to everyone you know, but be sure to take caution if someone is asking way too many questions all of a sudden.
How to Defend Against Phishing:
Be careful what information you surrender to those you have just met. Your belongings, such as gas, ammunition/firearms, generators, and food, aren’t something to brag about during an emergency. Mentioning this to the wrong individual might put a target on your back.
It’s best not to offer any information that isn’t obvious about your family or personal life. These are all things that can be held against you if you are the victim of a nefarious social engineer. The last thing you want is for a family member to be taken hostage because a rogue group wants something that you have—if society collapses, many individuals will have no qualms about seizing any advantage they can.
Skills can be just as valuable as tangible items, so be cautious of what you put on display to those that don’t know you all too well. If someone notices you’re a medical professional, they may show up on your doorstep injured and begging to be let in — or worse yet, demanding your assistance at gunpoint.
The line between awareness and paranoia must be drawn very finely when identifying pretexting. This technique involves convincing those around you that you’re something you’re not, or manipulating perception– a very powerful social engineering skill. For example, someone who’s up to no good might dress up as a police officer or another figure of authority to gain access to an area.
Pretexting can be used during times of panic to make advances on targets that would otherwise be off-limits to the average Joe, opening up many opportunities to wreak havoc. Gaining trust as someone else is a surefire way to deceive the unsuspecting.
How to Defend Against Manipulation and Pretexting:
To detect pretexting, ask leading questions about the person’s association with who they claim to be. Don’t come off as insulting, but use conversational questions about how long they’ve been doing what they do or how they obtained their credentials to figure out if the water is truly murky.
Inquire about their situation, how they’re surviving, where they’re from, and other non-intrusive questions about their life. A friendly demeanor and good acting skills are essential to pulling this off convincingly.
If after all of this, you’re still questioning their expertise or authority, find polite ways to get out of the situation. Look for visual cues when they are answering your questions. Shaking or fidgeting of the hands, limited eye contact, voice trembling, hesitation, and answers that don’t particularly line up are red flags that should signal you to get out of Dodge before it’s too late.
Diversion is exactly what it sounds like: diverting someone’s attention away from something that they really should be paying attention to, thus opening the opportunity to commit a nefarious act.
As one can imagine, there are a myriad of situations in the real world where diversion is effective. Most popular is the around-the-corner trick, where a group of individuals work to draw their victim away from the target of the operation (such as a vehicle, home, or security post). When the victim is away from the target, another member of the criminal group strikes and takes action on the target, thus completing the diversion attack and leaving the victim with their pants around their ankles.
If you are the target of this social engineering attack, it may be difficult to determine if you are being led down a path of lies by a stranger, or if there is indeed something going on that may require your attention. Combating these attacks is difficult, so attempt to pick up on any odd behavior that a shady character may display before your time to evaluate runs out.
How to Defend Against Diversion:
Claiming that someone is in medical distress or in danger is a common way that one could be tricked into leaving a vehicle, possessions, or family behind for just a minute. These situations get your blood pressure pumping, raise your heart rate, and stop you from thinking clearly about being deceived. Everyone wants to believe somebody wouldn’t lie about an actual emergency, but stay alert and pay attention to your surroundings— not everything is what it seems.
The easiest way to avoid this attack is heightening your sense of personal security. If mobile, avoid leaving supplies out on display. This just makes them easy pickings if you aren’t around. Also, make sure you make things as theft-proof as possible at your bug-out location. It’s not always easy to do, but stashing valuables in hidden spots can save you some heartache if anyone ever loots your hideaway.
When dealing with experienced social engineers, you may not even know someone is taking advantage of you, so it’s essential to watch for warning signs.
The attacks we have presented are some of the most common types that are carried out by cunning criminals. Above all, the best way to prevent being a victim is by having a heightened sense of awareness, and taking preventative steps to protect your belongings. The countermeasures we’ve discussed will enable you to be more cautious and prepared in the event of a catastrophe.
Jim Henry is a physical security and surveillance expert who has spent all of his adult life working to keep people out of places they shouldn’t be, and locating individuals who need to be found. Prior to his current employment in the private sector, where he works as a government contractor, Henry was a Surveillance Investigator for The Rivers Casino in Pittsburgh, PA. He also worked in Erie, PA in a similar role. Before that, Henry was busy building a diverse portfolio of education, studying countersurveillance, critical infrastructure protection, and threat detection. Even though most of his current work remains secret, Henry is very vocal about his love for firearms, writing, EDC gear, hiking with his dog, and spending time with his family.
Social engineering attacks can happen anywhere two people interact.
A sign at the Apple headquarters warns employees to watch for tailgating. (via Wikipedia)
Security cameras and access controls can help prevent
That bright flashlight might help you navigate, but it can also give away your position.
This email appears to contain a UPS package tracking link, but the link actually downloads a ZIP file containing malware.
Be very careful about disclosing the extent of your gear and supplies, as this may entice criminals to target your home.
An outward appearance of authority or vulnerability can distort your perception of an individual.
In Star Wars: A New Hope, Luke and Han use the illusion of escorting Chewie to sneak through the Death Star.
Photo: Flickr.com/cooljuno411 (CC BY-SA 2.0)
If the distraction is successful, you may end up leaving yourself wide open to intrusion or theft.
Don't store your valuables in obvious locations, and always keep them secured, especially during emergencies.