“Practically all of the companies and governmental entities represented in this room are potential targets of interest to us,” Peter Warmka, CFE, CPP, director of business intelligence at Strategic Risk Management LLC, told the room full of conference attendees in his Monday-morning session. “We consider ourselves masters in social engineering. We can manipulate you.” Warmka was impersonating the mindset of a fraudster on the hunt for a vulnerable target, and the effect was enough to grab the attention of the audience.
The social engineering he spoke of is also called “people hacking.” Warmka defined it as the process of one party manipulating a second party to do a specific action, which meets an underlying objective of the first party. The key word is manipulate, and Warmka warned that we are all vulnerable, whether we realize it or not.
It should come as no surprise that with the growing prevalence of the internet, it’s even easier today to get personal information on a potential target. Personal information is everywhere and criminals know exactly where to look.
Warmka walked attendees through various methods social engineers use to collect vital data about their potential targets, focusing on information sources that are particularly relevant for businesses and organizations. A few of these methods include:
- Perusing a company website, especially for information on executives
- Reading job postings (LinkedIn, Indeed, Monster), especially for IT positions, to ascertain software and security information
- Visiting employer review sites to get a feel for the company culture (negative cultures are a better environment for fraudsters)
- Studying company social media sites
One of the most eye-opening portions of Warmka’s presentation was when he shared actual photos from social media profiles. In some photos, employees were wearing company badges, which made it easy for a fraudster to create a copy. Later in the day, I noticed that some of our attendees would reverse their name badge or take it completely off before participating in any photo ops. Perhaps they attended Warmka’s session.
In other photos shared throughout the session, office layouts were revealed, and included the types of computers an organization used, which browsers were downloaded onto those computers and even a sticky note with the organization’s Wi-Fi information.
“Criminals are using this information to effectively manipulate someone,” Warmka explained. We are especially vulnerable to social engineering because of our tendency to blindly trust. “The fraudster can use that and be whoever they want to be.” There’s a phrase fraud fighters like to use — “trust but verify.” Warmka urged his audience to reverse this thinking — verify then trust, because more than 90% of all successful cybersecurity breaches begin with social engineering. As anti-fraud professionals, the challenge is to make a commitment, as an individual and within your organization, to confront this challenge head-on.