Phishing? No. Social engineering!


#1

Digital security trainers often speak about phishing within their events. It’s useful and relevant to the situation. However, phishing is just one example of a threat that uses the general sets of methods known as social engineering.

Social engineering may have different targets (not even related to passwords/accounts). For example, bad guys can manipulate information to ruin relationships between people and influence psychological climate in an NGO. I know at least one example when social engineering was used for diffamation of a civil activist. Once it was that some adversaries distributed wrong information about the starting date/time of an event to spoil working plans. I can easily imagine how social engineering could be used to motivate a person doing some particular things which could lead to physical and legal risks.

When we explain phishing we commonly teach people people how to see particular suspicious details in particular messages. I think that (maybe) it’s worth thinking of teaching people how not to be manipulated in general and to avoid risks that I mentioned in the previous paragraph.

Example: I made attempts to talk on so-called chain letters in our target audience and bumped into resistance and misunderstanding. “Why? How is it related to security? OK, I now understand it was a silly email that I reposted to my friends on Facebook, but it was innocent. No one lost any passwords, money or other values (well, maybe some time)”. People didn’t realize that they became victims of social engineering - the system of methods used by phishers.

Anyone who shares this idea and wish to work on “Social engineering” theme for educational programs/materials please feel free to add your comments. Perhaps you already know some great publications/presentations on that (aimed at our audience, indeed).


#2

Thanks for bringing up this important topic @dedmoroz! Indeed, social engineering is a real threat to human rights work. Adversaries can pretend to be someone that they aren’t - someone that the human rights defender (HRD) can trust, like a fellow HRD, or a friend, or a friend of the family, etc. Once this trust has been established, the adversary can manipulate a situation in a malicious way to request someone to do something, or collect information that the HRD would otherwise not share to use maliciously (defamation, etc), or incite discord in a relationship.

I think that phishing is the social engineering tactic that HRDs are most familiar with. Often, adversaries want information so they try to get access (via your password) to your email, your file system, your social media account, or even your computer via malware. A few years ago I wrote an article about how a group of HRDs can protect themselves from spear phishing --> Don’t be a phish!

I think you’re right - we need to build more awareness of the threat of social engineering. To this end, I think it’s important to explain the potential harmful impacts of this threat, and also to share real-world examples to make this more concrete. One controversial training tactic for spear phishing is to “test” people by sending them a spear phishing email and see if they fall for it and if they follow the right protocol (after training of course). A few I’m familiar with include:

I hope to learn from others about ways to build awareness and trainings to prevent the kind of social engineering that isn’t meant to get your password or install malware. Thanks again for starting this important thread!

  • Kristin

#3

There are great resources out there on how to teach the elderly to protect themselves against con artists. Example

A lot of the same methods that work on phone and mail scams work with e-mail scams. (e.g. Hang up, look up the number, and call the agency who said they were calling. == Google the organization they claimed to be from, and call//email that organization directly about the issue the e-mail raised).

The thing I have liked about these resources is that they are grounded in a nurturing approach that is rarely taken by the “social engineering awareness” crowd. There are a lot of non-cyber resources out there that have honed messaging and methods that we can learn from.


#4

Thank you both for your input.

There are a lot of non-cyber resources out there that have honed messaging and methods that we can learn from.

Indeed.

The problem with most of stuff we have now as resources for trainers is that it’s focused on purely technical things - phishing and how to detect phishing email messages and websites.

For example, some people (as I can judge upon discussions with them) take position of “OK, I know how phishing looks like, I’m actually not stupid so it’s unlikely that I will be deceived by a phishing message, a chain letter or whatever”. Actually, psychologists say that social engineering targets different characteristics of our brain and even people with very hight IQ are vulnerable. A simple example is when bad guys leave very short time for a person to respond so even a smartest addressee becomes desoriented.

Showing them yet another example of a missing “s” letter in a browser or a fake hyperlink won’t change anything. I think we need psychologists to assist us in dealing with such questions and this is why I’m posting my message here in the Holistic Security section.