Security awareness

Low-tech social engineering attacks

Susan Morrow
October 9, 2019 by
Susan Morrow

Introduction

Frank Abagnale is probably the most famous low-tech hacker since Son’ka the Golden Hand and the man who stole the Mona Lisa, Vincenzo Peruggia. Abagnale famously impersonated various professions, including a doctor and a pilot, to help facilitate his financial scams where he used false identities to forge checks and cash them in. Abagnale ended up being sentenced to 12 years in prison for fraud. He is now a regular at cybersecurity and regulatory compliance conferences.

Abagnale used social engineering to extract money, but his techniques were low-tech. However, the outcomes were much the same as the high-tech equivalents of today. Low-tech and social engineering are good bedfellows. In fact, many of the seemingly high-tech counterparts, like CEO fraud, will often have an element of low-tech at some point in the process.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Low-tech social engineering tricks often dovetail with their high-tech cousins to carry out a cyberattack. Here, we’ll look at a few such techniques.

Physical security

News headlines may seem preoccupied with data breaches and high-tech security hacks, but low-tech ones that involve breaching a physical asset can be just as damaging. One such physical breach is known as “tailgating.” This is a simple low-tech technique to gain illegal entry into a building. 

In 2009, security consultant Colin Greenless demonstrated how easy it is to gain such unauthorized access to a building. In the experiment, Mr. Greenless was able to enter the building of an FTSE financial services firm without challenge and carry out reconnaissance and show the potential for data theft. 

Once inside the building, Greenless was able to work for several days in a meeting room, unchallenged. In that time, he was also able to move freely between office spaces and access various sensitive data, often left out on printers and desks. He was also able to obtain the passwords of 17 of the 20 staff members he asked when using the internal phone system.

Visual hacking

Shielding your screen from prying eyes may seem obvious. However, the 3M Visual Hacking Experiment carried out by the Ponemon Institute, showed that in 88% of cases, sensitive corporate data could be stolen by visual means alone. 

The experiment employed the services of a white-hat hacker employed as a part-time worker or consultant in eight participating organizations. The white-hat hacker then checked how easy it was to steal information just by having a sneaky peek. The hacker was able to steal access and login credentials, thereby increasing privileges on the network. From there, the theft of sensitive documents was next.

I have carried out my own similar experiment. You don’t even need to be employed by the company. In this case, the organization dealt in highly sensitive healthcare data. I was a customer and was able to watch the entry of the login credentials of three members of staff (login was single-factor password only). I also had private access to a computer on the network and could have easily used any one of the passwords to gain access (I have warned them about this, of course).

Surveillance and grooming

Many scams, especially those that result in very large financial gain for the fraudster, take time to set up. The surveillance component of a carefully crafted scam is key to a successful outcome. Fraudsters will research their target, unusually a specific company, then home in on key personnel. The ultimate goal of surveillance and grooming is to develop relationships and trust within the target company. 

Once the key target individuals are identified, fraudsters will often then turn to technology, in the form of spearphishing emails, to move to the next level. Because of the surveillance done and grooming of the target, spearphishing emails will be more realistic and therefore more successful.

Surveillance is an important component of the Business Email Compromise (BEC) scam, which is a very successful financial fraud. BEC crimes cost business $1.2 billion in 2018. Without understanding the target company in detail, crimes like this would not be as successful.

The phone call scam

A simple phone call may be all that is needed to extract enough information to commit a crime. In the tailgating example above, Colin Greenless used the internal telephone system to extract information; this engendered trust because it was internal. 

However, “cold-call” phone call scams are also very successful. A report by First Orion using data from 50 billion calls over 18 months found that scam calls, especially to mobile phones, are at record levels. The type of tricks being played includes “Neighborhood Spoofing,” which displays the number seen on the phone screen as a local number. The reason is that you are more likely to know someone on a similar number or to trust a local number.

Low-tech social engineering prevention

There are several ways you can help to mitigate the effect and impact of a low-tech attack:

  1. Be vigilant: Many low-tech attacks rely on careless behavior. For example, be careful about giving out passwords and other personal data, especially in public places
  2. Use a privacy screen in public places: This can help prevent “sneaky peeks” when you are working on your laptop
  3. Use two-factor or multiple-factor authentication: This may not prevent a low-tech attack, but it can help mitigate the outcome of one
  4. Disconnect unsecured workstations: Any computers that are left unattended should be disconnected wherever possible
  5. Use security awareness training: Many low-tech attackers rely on staff and other workers not being aware of the risks of password hygiene and so on. Ensure the privacy awareness covers all aspects of company security and all staff
  6. Create and enforce a clean desk policy

Conclusion: Security awareness is the nemesis of the low-tech hacker

We can easily get hung up on high-tech scams and fraud because they seem more interesting. But the truth is, modern cybercrime is as deeply rooted in the manipulation of human behavior as the scam tricks of old were. 

Low-tech social engineering is about the manipulation of people. This manipulation can be an end in itself, as is the case of scam calls that encourage the transfer of money. But low-tech can also be a feeding mechanism into its high-tech counterparts. Low-tech meets high-tech in many modern cybercrimes where low-tech is a high-tech facilitator.

We are seeing this in the deepfake era too, where a recent CEO was tricked into transferring $240,000 because he heard what he believed to be his parent company superior but was in fact a fake voice. The trick was a low-tech phone call and manipulation of someone’s trusted relationship. The voice was created using deepfake technology. This perfect marriage created the perfect cybercrime. No doubt, we will see more of the same in the coming years.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

 

Sources

  1. Regulatory Issues Forum: Combating Cyber Fraud with Frank Abagnale, National Association of Realtors
  2. Consultant Uses Social Skills to Trick Corporate Security, CIO
  3. New Study Exposes Visual Hacking as Under-Addressed Low-Tech Threat, 3M
  4. Manufacturing and Construction Top Targets for Business Email Compromise, Financial Trend Analysis
  5. Nearly 50% Of U.S. Mobile Traffic Will Be Scam Calls By 2019, First Orion
  6. Thieves are now using AI deepfakes to trick companies into sending them money, The Verge
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.