When I came home from a nice night out with a friend last night, my mother was concerned and a bit upset. I asked her if something had happened, after which she told me what had happened that night. To be honest, I would also have been upset. Namely, it is quite a scary thought that strangers can exert such influence on you within a couple of minutes.
Last night, my mother received a call from the number of the ING fraud desk. The woman on the telephone told my mother in proper Dutch that hackers from Ghana had tried to transfer money to another account. Through a number of control questions she wanted to verify whether my mother had become the victim of the hack. She asked how much money was in the account, as well as our postcode and address. She also wanted to know whether it was correct that the account number ended in the three numbers included in their system (they did indeed match).
Basically, nothing to be concerned about; however, she was not speaking with an ING employee but with a so-called social engineer. A social engineer is a person who tries to obtain confidential information through manipulation in order to, for instance, gain access to systems or data. With all fateful consequences. To mislead my mother, this woman relied on ‘spoofing’; this is a technique where you replace your own telephone number by another telephone number. In this case the telephone number of the ING fraud desk.
Entering the house
The woman wanted to know if our computer was properly secured. She asked if we had a virus scanner and a strong password on the WiFi network. Namely, there was a chance we had been hacked via our IP addresses. The friendly woman even proposed to have an engineer come by to check everything and, perhaps, to secure it better. The engineer could not make it that evening, but he could come by tomorrow or the day after. Once again, she emphasised that it was very important to have something done about this quickly.
For the further settlement, the woman transferred my mother to her colleague who would explain what steps would need to be taken. A man came on the telephone, again speaking proper Dutch. He started explaining that hackers can continue prying around account details for a long time. According to him, the criminals had set to work at multiple persons, as a result of which the ING fraud desk was very busy. Because of that, the account would remain blocked a bit longer. This could be prevented by securing the money in the account in a different manner as soon as possible. The money in the savings account would need to be transferred to the current account to then be transferred to a secured depot with a Dutch account number. After two days, everything would have been solved and my mother would receive instructions to transfer the money from the secured depot back to her own account.
Behaviour & Awareness – principles of persuasion
In most instances, social engineers gratefully rely on the seven principles of persuasion that allow people to be influenced . Robert Cialdini identified these principles, which are traditionally mostly known within the marketing world. The seven principles of persuasion are explained further below
Reciprocity: By giving away something (e.g. a free e-book, service, or a small gift) people unintentionally feel they owe you something. Hence, people tend to return the favour more easily.
Scarcity: People are sensitive to scarcity and become greedy in case of a limited number of products or in case of a time restriction on a special offer. In addition, people often find it difficult to reach decisions under time pressure and they are not very good at it.
Authority: From a young age, we are taught that certain people with authority are right. This ensures that we tend to believe experts more easily. Ways to display authority are, for instance, position, awarded prizes, nominations, or quality marks.
Commitment and consistency: This principle is about gradually enthusing people about something (commitment) and retaining this attention (consistency). A newsletter is, for instance, a good first step to create loyalty. The more often people say ‘yes’ in a process, the more difficult it becomes to say ‘no’.
Sympathy: People tend to do something more easily for someone they feel sympathetic to.
Social evidentiary force: Many people seek confirmation of their choice before they make a purchase. It gives a buyer more confidence to buy a product or service that other people are enthusiastic about.
Unity: This principle regards the need of people to belong to something. Factors like culture, location, group feeling, and age play a role in this unity. You can anticipate this by picking topics that appeal to people or with which they are pleased to identify themselves.
In this attack, five of these principles were used in the misleading. The first principle is authority. In the story above, the authority principle is manifested because the callers present themselves as the fraud team of the ING. They are an authority in the detection of fraud, so they will probably be right about the possible hack from Ghana. In addition, the social engineers used typical IT terms to overwhelm the victim.
The second principle is scarcity. Because the social engineers in the story above keep insisting on the limited processing time, the victim is triggered to opt for the fastest solution available. But unfortunately, the fastest solution is often not the best solution
The third principle is sympathy. The social engineers were very supportive and friendly. So friendly that they were immediately available to assist my mother with her problems. They even wanted to schedule an appointment with an engineer for her. Such great customer service (…).
The fourth principle is reciprocity. With a solid, plausible story, they gave my mother something, namely the fast assistance of an engineer. As a result, my mother was more willing to do something for them in return.
The fifth principle is commitment and consistency. With a scary story about hackers from Ghana, the social engineers caught the attention and commitment of my mother. Through a refined structure of the story and by asking the right questions, they managed to retain my mother’s attention for a long time.
Ultimately it all ended well: my mother started doubting whether she was really speaking with someone from the fraud desk. They answered that was certainly the case because they had not asked for and neither needed her login details. My mother no longer trusted it and disconnected the call. Meanwhile, the fraud had also been detected by the ING. They had already blocked the bank account by way of precaution. At the bottom of this article, I added a link with the recommendations of the ING for this kind of fraud (text is in Dutch).
Perhaps the most shocking about this story is that the social engineers perhaps did really try to enter our house. Admittedly, the attackers would have run a considerable risk of getting caught or being discovered with a small chance of gain. I therefore think that the offer was merely to rely on reciprocity. But it is possible, and perhaps a pilot to be used with the larger money bosses. The standard pattern is then that they try to come by when someone (in this case my mother) is home alone. They come in pairs and one will distract the victim (for instance by examining the computer and by continuously asking questions). The other can start looking for money or work on the installation of a tap, which will enable eavesdropping.
Afterwards, my mother was angry with herself that she had been so stupid to almost fall for the fraud and that she should have seen through the tricks more quickly. Fortunately, she did not fall for the fraud and prevented € 10,000 from being stolen. The sense of guilt experienced by my mother is understandable, but certainly not deserved! As a human-being, we want to depart from the good in the people around us. On the other hand, the tricks that social engineers use these days become ever more clever. Psychological principles are intentionally and specifically targeted. It is not ‘wrong’ or ‘your fault’ for falling for it. It is much more refined than you think. The best weapon is common sense and alertness, fed by the realisation that your confidence can intentionally be abused. Awareness should not be about the ‘improvement of wrong behaviour’, but about the ‘recognition of the techniques’. No fault, but a helping hand.
Tesorion offers various ways to enhance behaviour and awareness with regard to, for instance, phishing. In addition, there are various webinars to assist you in handling this ‘art of persuasion’. Robert B. Cialdini – Influence, The Psychology of Persuasion