This review originally appeared online at RECOIL OFFGRID Magazine (@recoiloffgridmagazine). It appears here in its entirety with the permission of editor and soulless albino ginger editor, “Big Red” McCarthy. Mad Duo
SOCIAL ENGINEERING: 5 MANIPULATION TECHNIQUES
Jim Henry, via RECOIL OFFGRID Magazine
Despite what it may sound like, social engineering is not the sort of thing you’d get a degree in from an Ivy League school. In fact, this kind of nefarious so-called engineering is quite the opposite. It could easily be called social reverse-engineering, since it has little to do with building up positive social interactions, and everything to do with deconstructing them for personal gain.
WHAT IS SOCIAL ENGINEERING?
One definition of social engineering comes from prominent Russian cyber security firm Kaspersky Labs. The firm defines it as a category of techniques employed by cyber-criminals, designed to trick unsuspecting victims into disclosing their confidential data, infecting their computers with malware, or opening links to infected sites.
Although it’s certainly true that many social engineering attacks happen on the internet, there’s an equally large risk of falling prey to social engineering outside the digital realm. In a broader sense, social engineering is just skillful psychological manipulation, and it can occur in any interaction between two or more people.
Social engineering attacks often occur over the phone, in the mail, or even during face-to-face interactions. Certainly, protecting ourselves every day while using technology is critical, but in a grid-down or emergency situation eliminating the risk of someone eliciting personally identifiable information (PII) is the key to protecting your assets and identity. Most importantly, countering these attacks will keep you and your interests safe during a chaotic situation.
If a large-scale disaster were to affect your region, your priorities would consist of keeping yourself and your family safe, fed, and calm until some sort of order is restored. Naturally, during this type of crisis you will encounter strangers whether you’re at home bugging-in, or going mobile to a bug-out location.
No matter where you are, a heightened sense of situational awareness is worth a fortune if employed by all members of your family. When the excrement hits the proverbial fan, the general population becomes more desperate for resources, and will employ tactics like those used on the web to exploit your weaknesses.
Even outside of a disaster scenario, especially brazen criminals may use these techniques to mislead you or take advantage of you.
If you can get your family more involved in the identification and countermeasures to defeat these five types of social engineering attack, your chances of survival will greatly increase.
1. PIGGYBACKING OR TAILGATING
Gaining entry to a restricted area — whether it’s a home, business, or high-security building — is a desirable skill for criminals. It’s also the first step towards compromising other levels of physical security.
One of the simplest but most effective ways of entering a prohibited area is by tailgating. No, this isn’t just referring to the road-rage-inducing driving technique — it covers any method of closely following an authorized individual to achieve access to restricted places.
This can mean sneaking behind someone who is unaware of your presence, or manipulating and piggybacking an authorized person to gain entry. In countless spy movies, the hero sneaks into the middle of a group of enemies to walk through a checkpoint — that’s an example of this technique.
In an everyday scenario, this may involve a bad guy gaining access to a location with critical telecom equipment in order to plant a harmful device, or someone attempting to steal confidential information. To prevent this, most companies will live-monitor CCTV cameras, install anti-passback systems in their access controls, or just rely on employees to not hold the door for unknown individuals. Sounds easy, right? But what about during pandemonium? How can one prevent someone with nefarious intentions from harming them or compromising their bug-out spot?
How to Defend Against Tailgating:
If you’re finding a safe place to bed down and take shelter for the night, or keeping supplies in a predetermined bugout location, you must protect the integrity of your hideaway. With limited supplies this may be difficult, but maintaining high ground, securing a wide perimeter, and memorizing your surroundings can assist in keeping unwanted visitors out.
Try to pick locations with considerable cover, whether it’s in a forest or urban environment. Avoid well-lit areas, and keep your own light signature in mind when traveling at night. Use surrounding material to conceal your hideaway and lessen the risk of blowing your cover.
Whenever you’re mobile, try to keep eyes in the back of your head and your ears to the ground, figuratively. One thing that could bust your hard-earned cache of supplies or personal safety is a compromise of position. Take stock in your surroundings constantly, and maintain situational awareness. As stated above, keep your personal light signature in mind when traveling after sundown. That being said, if you must use a flashlight to navigate use a lower-lumen setting or moonlight mode found on most tactical lights. Ideally, five or ten lumens will still allow you to see where you’re going, while still offering you some concealment.
Once you arrive at your bugout spot, tone the lumen setting down even more. If your light has a red light setting, opt for this as it will still allow you to see what is directly in front of you without casting any additional beam around your position. A better (but more costly) solution to operating in low light is to pack a pair of night vision goggles (NVGs). Whichever you choose, make sure that concealment is the number one priority.
In the digital world a link that looks too good to be true, such as a free cruise or free iPad, can easily trap an unknowing user into a well-laid-out baiting scheme. This technique is often the precursor to something even worse, such as ransomware or malware — both equally scary violations of your digital security. However, these attacks aren’t always so obvious.
The recent ultra-ransomware attacks WannaCry and Petya were prime examples of how many people can be tempted by baiting through a link or random email. These two attacks affected nearly half million users across the globe, and could have been much worse if worldwide media coverage hadn’t alerted those who received suspicious emails but had not yet opened the embedded links.
Baiting relates seamlessly to a grid-down situation as well. Whether you’re finding a safe area away from the chaos, looking for useful provisions, or generally avoiding danger, getting fooled by a baiting attack can be just as bad as falling for the illusion of a lake in the middle of the Sahara Desert. In a SHTF situation, countering these methods can be just as easy as when you’re browsing the web — although there’s no pop-up blocker or anti-malware plugin to help you detect real-life scams.
How to Defend Against Baiting:
Just like most attacks, general situational awareness can prevent a myriad of incidents. If you see something that you feel could be useful, or appears curious, look around before going near the object.
For example, rumors have circulated about criminals targeting individuals in parking lots late at night by placing bait to lure the victim away from their driver’s side door. As the victim steps away from his or her car to inspect the out-of-place item, the assailant could move in and commit whatever act they intended on carrying out.
If you’re familiar with the area you’re in, it’s best to stay in the parts of town that you know best. Unexpected incidents often happen in unfamiliar places, so sticking to the familiar areas will likely be more beneficial for your own personal safety. If it’s a foreign environment, do your best to stay nondescript and don’t linger. Just like with cyber safety, staying out of questionable websites and avoiding unknown links will promise you more safety than browsing to them.
Just recently, many US residents were victims of a giant telephone phishing scheme by a group of unknown social engineers who attempted to steal large amounts of money. These hackers would call their targets and claim to be the IRS, stating the individual owed the federal government funds due to a tax audit, or mistake in back taxes. This scheme is still active, and has worked frequently over the past year. Even worse, many different forms of it have popped up from copycat hackers.
Just like on the web, phishing can be dangerous in the real world as well. During a grid-down scenario, unsavory characters may attempt to slyly elicit information from you regarding your past, your profession, and even personal notes like marital status. These pieces of information, as trivial as they may seem, can all be used against you in some way or another. This doesn’t mean lie to everyone you know, but be sure to take caution if someone is suddenly asking way too many questions.
How to Defend Against Phishing:
Be careful what information you surrender to those you’ve just met. Your belongings, such as gas, ammunition/firearms, generators and food, aren’t something to brag about during an emergency. Mentioning this to the wrong individual might put a target on your back.
It’s best not to offer any information that isn’t obvious about your family or personal life. These are all things that can be held against you if you are the victim of a nefarious social engineer. The last thing you want is for a family member to be taken hostage because a rogue group wants something that you have—if society collapses, many individuals will have no qualms about seizing any advantage they can.
Skills can be just as valuable as tangible items, so be cautious of what you put on display to those who don’t know you well. If someone notices you’re a medical professional, they may show up on your doorstep injured and begging to be let in — or worse yet, demanding your assistance at gunpoint.
4. MANIPULATION AND PRETEXTING
The line between awareness and paranoia must be drawn very finely when identifying pretexting. This technique involves convincing those around you that you’re something you’re not, or manipulating perception– a very powerful social engineering skill. For example, someone who’s up to no good might dress as a police officer or other authority figure to gain access to an area.
Pretexting can be used during times of panic to make advances on targets that would otherwise be off-limits to the average Joe, opening up many opportunities to wreak havoc. Gaining trust as someone else is a surefire way to deceive the unsuspecting.
How to Defend Against Manipulation and Pretexting:
To detect pretexting, ask leading questions about the person’s association with who they claim to be. Don’t come off as insulting, but use conversational questions about how long they’ve been doing what they do or how they obtained their credentials to figure out if the water is truly murky.
Inquire about their situation, how they’re surviving, where they’re from, and other non-intrusive questions about their life. A friendly demeanor and good acting skills are essential to pulling this off convincingly.
If after all of this you’re still questioning their expertise or authority, find polite ways to get out of the situation. Look for visual cues when they’re answering your questions. Shaking or fidgeting of the hands, limited eye contact, voice trembling, hesitation, and answers that don’t particularly line up, are red flags that should signal you to get out of Dodge before it’s too late.
Diversion is exactly what it sounds like: diverting someone’s attention away from something that they really should be paying attention to, thus opening the opportunity to commit a nefarious act.
As one can imagine, there are a myriad of situations in the real world where diversion is effective. Most popular is the around-the-corner trick, where a group of individuals work to draw their victim away from the target of the operation (such as a vehicle, home, or security post). When the victim is away from the target, another member of the criminal group strikes and takes action on the target, thus completing the diversion attack and leaving the victim with their pants around their ankles.
If you are the target of this social engineering attack, it may be difficult to determine if you’re being led down a path of lies by a stranger or if there is indeed something going on that may require your attention. Combating these attacks is difficult, so attempt to pick up on any odd behavior a shady character may display before your time to evaluate runs out.
How to Defend Against Diversion:
Claiming that someone is in medical distress or in danger is a common way one could be tricked into leaving a vehicle, possessions, or family behind for just a minute. These situations get your blood pressure pumping, raise your heart rate, and stop you from thinking clearly about being deceived. Everyone wants to believe somebody wouldn’t lie about an actual emergency, but stay alert and pay attention to your surroundings— not everything is what it seems.
The easiest way to avoid this attack is heightening your sense of personal security. If mobile, avoid leaving supplies out on display. This just makes them easy pickings if you aren’t around. Also, make sure you make things as theft-proof as possible at your bugout location. It’s not always easy to do, but stashing valuables in hidden spots can save you heartache if anyone ever loots your hideaway.
When dealing with experienced social engineers, you may not even know someone is taking advantage of you, so it’s essential to watch for warning signs.
The attacks we’ve presented are some of the most common types that are carried out by cunning criminals. Above all, the best way to prevent being a victim is by having a heightened sense of awareness, and taking preventative steps to protect your belongings. The countermeasures we’ve discussed will enable you to be more cautious and prepared in the event of a catastrophe.
ABOUT THE AUTHOR
Jim Henry is a physical security and surveillance expert who has spent all of his adult life working to keep people out of places they shouldn’t be, and locating individuals who need to be found. Prior to his current employment in the private sector, where he works as a government contractor, Henry was a Surveillance Investigator for The Rivers Casino in Pittsburgh, PA. He also worked in Erie, PA in a similar role. Before that, Henry was busy building a diverse portfolio of education, studying countersurveillance, critical infrastructure protection, and threat detection. Even though most of his current work remains secret, Henry is very vocal about his love for firearms, writing, EDC gear, hiking with his dog, and spending time with his family.
Armageddon Gear (@armageddongear) is a part of JTF Awesome.
This article originally appeared on OFFGRID.
If you wish to share or repost, please so kind as to follow our terms and conditions.
Mad Duo, Breach-Bang& CLEAR!
Contingency: Exercise your inner perv with us on Tumblr here, follow us on Twitter here or connect on Google + here.
Emergency: Activate firefly, deploy green (or brown) star cluster, get your wank sock out of your ruck and stand by ’til we come get you.
T&C: All original material published by Breach-Bang-Clear is the copywritten property of Breach-Bang-Clear, Inc. If you wish to repost, republish, or otherwise share our content, feel free to reproduce an extract of up to 225 words and one complete, unaltered image, preceded by attribution crediting the source and author’s name, to include a link to the Breach-Bang-Clear home page, with a link back to the full article on our website, BreachBangClear.com. You do not require our permission to do this. Please do not reproduce our content in its entirety without contacting us first. We do allow full syndication on a case by case basis (credited, and posted with a canonical link, as is common practice and in good form) but only when mutually agreed upon beforehand. If you wish to reproduce a complete article, please contact us for permission to publish first.