Social Engineering: How to Defend Against Manipulative Wolves in Sheep’s Clothing

It’s not just a technique for master criminals. Social engineering can be as simple manipulating others to steal your personal data.

Despite what it may sound like, social engineering isn’t the sort of thing you’d get a degree in from an Ivy League school. In fact, this kind of nefarious so-called engineering is quite the opposite. It could easily be called social reverse-engineering, since it has little to do with building up positive social interactions and everything to do with deconstructing them for personal gain.

What is Social Engineering?

One definition of social engineering comes from prominent Russian cybersecurity firm Kaspersky Labs. The firm defines it as a category of techniques employed by cyber-criminals, designed to trick unsuspecting victims into disclosing their confidential data, infecting their computers with malware, or opening links to infected sites.

Although it's certainly true that many social engineering attacks happen on the internet, there's an equally large risk of falling prey to social engineering outside the digital realm. In a broader sense, social engineering is just skillful psychological manipulation, and it can occur in any interaction between two or more people.

Above: Clever criminals won’t need to physically disarm you if they can verbally disarm you first. A charming smile and a convincing appearance are often all it takes to get a victim’s guard down.

Social engineering attacks often occur over the phone, in the mail, or even during face-to-face interactions. Certainly, protecting ourselves every day while using technology is critical, but in a grid-down or emergency situation, eliminating the risk of someone eliciting personally identifiable information (PII) is the key to protecting your assets and identity. Most importantly, countering these attacks will keep you and your interests safe during a chaotic situation.

If a large-scale disaster were to affect your region, your priorities would consist of keeping yourself and your family safe, fed, and calm until some sort of order is restored. Naturally, during this type of crisis you will encounter strangers whether you’re at home bugging-in or going mobile to a bug-out location.

Above: Live-monitored security cameras and access controls can help prevent piggybacking and tailgating attacks.

No matter where you are, a heightened sense of situational awareness is worth a fortune if employed by all members of your family. When the excrement hits the proverbial fan, the general population becomes more desperate for resources and will employ tactics like those used on the web to exploit your weaknesses.

Even outside of a disaster scenario, especially brazen criminals may use these techniques to mislead you or take advantage of you. If you can get your family more involved in the identification and countermeasures to defeat these five types of social engineering attacks, your chances of survival will greatly increase.

Piggybacking or Tailgating

Gaining entry to a restricted area — whether it's a home, business, or high-security building — is a desirable skill for criminals. It's also the first step toward compromising other levels of physical security.

One of the simplest but most effective ways of entering a prohibited area is by tailgating. No, this isn’t just referring to the road-rage-inducing driving technique — it covers any method of closely following an authorized individual to achieve access to restricted places.

Above: Criminals have tried to take advantage of the unsuspecting by impersonating law enforcement officers.

This can mean sneaking behind someone who is unaware of your presence or manipulating and piggybacking an authorized person to gain entry. In countless spy movies, the hero sneaks into the middle of a group of enemies to walk through a checkpoint — that's an example of this technique.

In an everyday scenario, this may involve a bad guy gaining access to a location with critical telecom equipment in order to plant a harmful device, or someone attempting to steal confidential information. To prevent this, most companies will live-monitor CCTV cameras, install anti-passback systems in their access controls, or just rely on employees to not hold the door for unknown individuals. Sounds easy, right? But what about during pandemonium? How can one prevent someone with nefarious intentions from harming them or compromising their bug-out spot?

Countermeasures

If you’re finding a safe place to bed down and take shelter for the night or keeping supplies in a predetermined bug-out location, you must protect the integrity of your hideaway. With limited supplies, this may be difficult, but maintaining high ground, securing a wide perimeter, and memorizing your surroundings can assist in keeping unwanted visitors out.

Try to pick locations with considerable cover, whether it’s in a forest or urban environment. Avoid well-lit areas and keep your own light signature in mind when traveling at night. Use surrounding material to conceal your hideaway and lessen the risk of blowing your cover.

Above: An outward appearance of vulnerability can distort your perception of an individual.

Whenever you’re mobile, try to keep eyes in the back of your head, and your ears to the ground, figuratively. One thing that could bust your hard-earned cache of supplies or personal safety is a compromise of position. Take stock of your surroundings constantly and maintain situational awareness. As stated above, keep your personal light signature in mind when traveling after sundown. That being said, if you must use a flashlight to navigate, use a lower lumen setting or moonlight mode found on most tactical lights. Ideally, 5 or 10 lumens will still allow you to see where you’re going, while still offering you some concealment.

Once you arrive at your bug-out spot, tone the lumen setting down even more. If your light has a red light setting, opt for this as it will still allow you to see what’s directly in front of you without casting any additional beam around your position. A better (but more costly) solution to operating in low light is to pack a pair of night vision goggles (NVGs). Whichever you choose, make sure concealment is the number-one priority.

Baiting

In the digital world, a link that looks too good to be true, such as a free cruise or free iPad, can easily trap an unknowing user into a well-laid-out baiting scheme. This technique is often the precursor to something even worse, such as ransomware or malware — both equally scary violations of your digital security. However, these attacks aren't always so obvious.

The ultra-ransomware attacks WannaCry and Petya were prime examples of how many people can be tempted by baiting through a link or random email. These two attacks affected nearly a half-million users across the globe. They could’ve been much worse if worldwide media coverage hadn’t alerted those who received suspicious emails, but had not yet opened the embedded links.

Above: This wallet may have been dropped accidentally, or it may be a form of bait, so approach with caution.

Baiting relates seamlessly to a grid-down situation as well. Whether you’re finding a safe area away from the chaos, looking for useful provisions, or generally avoiding danger, getting fooled by a baiting attack can be just as bad as falling for the illusion of a lake in the middle of the Sahara Desert. In a SHTF situation, countering these methods can be just as easy as when you’re browsing the web — although there’s no pop-up blocker or anti-malware plug-in to help you detect real-life scams.

Countermeasures

Just like most attacks, general situational awareness can prevent a myriad of incidents. If you see something that you feel could be useful or that appears curious, look around you before going near the object.

For example, rumors have circulated about criminals targeting individuals in parking lots late at night by placing bait to lure the victim away from their driver’s side door. As the victim steps away from his or her car to inspect the out-of-place item, the assailant could move in and commit whatever act they intended on carrying out.

If you’re familiar with the area you’re in, it's best to stay in the parts of town that you know best. Unexpected incidents often happen in unfamiliar places, so sticking to the familiar areas will likely be more beneficial for your own personal safety. If it’s a foreign environment, do your best to stay nondescript and don’t linger. Just like with cyber safety, staying out of questionable websites and avoiding unknown links will promise you more safety than browsing to them.

Phishing

In 2017, many U.S. residents were victims of a giant telephone phishing scheme by a group of unknown social engineers who attempted to steal large amounts of money. These hackers would call their targets and claim to be the IRS, stating the individual owed the federal government funds due to a tax audit or mistake in back taxes. This scheme is still active and has worked frequently over the past year. Even worse, many different forms of it have popped up from copycat hackers.

Above: Casual conversations in public can be used by clever criminals to obtain information about your personal life.

Just like on the web, phishing can be dangerous in the real world as well. During a grid-down scenario, unsavory characters may attempt to slyly elicit information from you regarding your past, your profession, and even personal notes like marital status. These pieces of information, as trivial as they may seem, can all be used against you in some way or another. Now, this doesn’t mean lie to everyone you know, but be sure to take caution if someone is asking way too many questions all of a sudden.

Countermeasures

Be careful what information you surrender to those you have just met. Your belongings, such as gas, ammunition/firearms, generators, and food, aren’t something to brag about during an emergency. Mentioning this to the wrong individual might put a target on your back.

It’s best not to offer any information that isn’t obvious about your family or personal life. These are all things that can be held against you if you’re the victim of a nefarious social engineer. The last thing you want is for a family member to be taken hostage because a rogue group wants something that you have — if society collapses, many individuals will have no qualms about seizing any advantage they can.

Skills can be just as valuable as tangible items, so be cautious of what you put on display to those who don’t know you all too well. If someone notices you’re a medical professional, they may show up on your doorstep injured and begging to be let in — or worse yet, demanding your assistance at gunpoint.

Manipulation and Pretexting

The line between awareness and paranoia must be drawn very finely when identifying pretexting. This technique involves convincing those around you that you’re something you’re not or manipulating perception — a very powerful social engineering skill. For example, someone who’s up to no good might dress up as a police officer or another figure of authority to gain access to an area.

Above: Flaunting wealth on social media is a great way to become a target. Be very careful about disclosing the extent and location of your valuables, as this may entice criminals to target your home.

Pretexting can be used during times of panic to make advances on targets that would otherwise be off-limits to the average Joe, opening up many opportunities to wreak havoc. Gaining trust as someone else is a surefire way to deceive the unsuspecting.

Countermeasures

To detect pretexting, ask leading questions about the person’s association with who they claim to be. Don’t come off as insulting, but use conversational questions about how long they’ve been doing what they do or how they obtained their credentials to figure out if the water is truly murky.

Inquire about their situation, how they’re surviving, where they’re from, and other non-intrusive questions about their life. A friendly demeanor and good acting skills are essential to pulling this off convincingly.

If after all of this, you’re still questioning their expertise or authority, find polite ways to get out of the situation. Look for visual cues when they’re answering your questions. Shaking or fidgeting of the hands, limited eye contact, voice trembling, hesitation, and answers that don’t particularly line up are red flags that should signal you to get out of Dodge before it’s too late.

Diversion

Diversion is exactly what it sounds like: diverting someone’s attention away from something that they really should be paying attention to, thus opening the opportunity to commit a nefarious act.

As one can imagine, there are a myriad of situations in the real world where diversion is effective. Most popular is the around-the-corner trick, where a group of individuals work to draw their victim away from the target of the operation (such as a vehicle, home, or security post). When the victim is away from the target, another member of the criminal group strikes and takes action on the target, thus completing the diversion attack and leaving the victim with their pants around their ankles.

Above: Criminals may request your assistance with a car break-down or medical emergency to distract you. This is especially effective with the aid of an attractive, harmless-looking accomplice.

If you’re the target of this social engineering attack, it may be difficult to determine if you’re being led down a path of lies by a stranger, or if there is indeed something going on that may require your attention. Combating these attacks is difficult, so attempt to pick up on any odd behavior that a shady character may display before your time to evaluate runs out.

Countermeasures

Claiming that someone is in medical distress or in danger is a common way that one could be tricked into leaving a vehicle, possessions, or family behind for just a minute. These situations get your blood pressure pumping, raise your heart rate, and stop you from thinking clearly about being deceived. Everyone wants to believe somebody wouldn’t lie about an actual emergency, but stay alert and pay attention to your surroundings — not everything is what it seems.

The easiest way to avoid this attack is heightening your sense of personal security. If mobile, avoid leaving supplies out on display. This just makes them easy pickings if you aren’t around. Also, make sure you make things as theft-proof as possible at your bug-out location. It’s not always easy to do, but stashing valuables in hidden spots can save you some heartache if anyone ever loots your hideaway.

Final Thoughts

When dealing with experienced social engineers, you may not even know someone is taking advantage of you, so it's essential to watch for warning signs.

The attacks we’ve presented are some of the most common types that are carried out by cunning criminals. Above all, the best way to prevent being a victim is by having a heightened sense of awareness and taking preventative steps to protect your belongings. The countermeasures we've discussed will enable you to be more cautious and prepared in the event of a catastrophe.


STAY SAFE: Download a Free copy of the OFFGRID Outbreak Issue

In issue 12, Offgrid Magazine took a hard look at what you should be aware of in the event of a viral outbreak. We're now offering a free digital copy of the OffGrid Outbreak issue when you subscribe to the OffGrid email newsletter. Sign up and get your free digital copy
Patrick Diedrich: