What if your attackers don’t need any technical skills? What if you let them in yourself, simply by being too helpful?
Co-hosts Duck and David tackle the tricky problem of treacherous criminals who don’t need vulnerabilities, exploits, hacking abilities, or malware.
If the media player above doesn’t work in your browser,
try clicking here to listen in a new browser tab.
Find TALES FROM THE SOC on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you use your own audio app. Or download this episode as an MP3 file and listen offline in any audio or video player.
[FX: PHONE DIALS]
[FX: PHONE RINGS, PICKS UP]
ETHEREAL VOICE. Hello, caller.
Get ready for TALES FROM THE SOC.
[FX: DRAMATIC CHORD]
DUCK. Welcome back, everybody, to TALES FROM THE SOC.
I am Paul Ducklin, joined by David Emerson, CTO and Head of Operations at SolCyber.
Hello, David.
DAVID. Hey there.
DUCK. David, this episode’s topic is: Social engineering – What to do?
Over the past perhaps month or two, major-league attacks that have happened against massive companies such as some of the biggest supermarket chains in the UK have turned out to be almost entirely down to social engineering.
Someone took a phone call, and was just too helpful.
So the attackers, Scattered Spider in this case, as they’re known, they didn’t need to do any hacking, they didn’t need to use any technology.
They simply said, “I say, old chap, will you tell me the password?”
OK.
Game over.
How do you defend against something like that, which is a human problem and not a technological problem?
DAVID. Well, that headline is about 35,000 years old.
DUCK. [LAUGHS] You mean you can consult the drawings in the caves at Lascaux in France?
DAVID. Yes.
DUCK. And find out? [LAUGHTER]
DAVID. Almost certainly this was a scam then too.
DUCK. Yes.
DAVID. It’s really an interaction problem.
And I think that in the context of cybersecurity, it is not a headline.
A lot of people get far too caught up in the schemes and mechanisms of “exploit” in a technical sense.
If you think too hard about the various schemes and mechanisms of exploit in the cybersecurity realm, you’re probably going to miss the broader point, which is that your processes need to be resilient against some of the most simple, elegant, and social exploits out there.
They’re not something that is a technical exploit, or is even going to be difficult to detect.
It’s ultimately just going to be a person asking you for your password, essentially, or asking you for a password reset, or asking you to wire money somewhere inappropriate.
It can be as simple as that.
DUCK. Yes.
So when we say “social engineering,” that’s just a fancy way of talking about some mixture of treachery, bribery, or threatening behavior that induces the other person to do something that if they had only stopped and thought about it, they would probably themselves have figured out it was an unwise choice to make.
DAVID. Yes.
I would say one of the common elements would be that things of value are pursued.
Take that for what it means in your environment.
Do you run a system that does wire transfers, for example?
The thing that someone will be after you for, if you do, is a wire transfer.
Do you house classified information?
Well, that’s the thing of value.
Start with the items at risk, with the things of value in your environment, because those will be the things which are pursued.
And you won’t have to think too hard about the technical means by which they are pursued, because those are so many-fold that you probably aren’t capable of imagining the ways you’ll come under threat in the next N number of years that you’ll be housing that data.
DUCK. So would you agree with the very simple advice that you should always make time for a second opinion?
What may have lured you into trusting somebody may not work well with somebody else.
They may bring a bit more cynicism into the equation and be less likely to be lured in in exactly the same way as you.
DAVID. Absolutely.
You know, maybe a second opinion doesn’t make sense in every case – if the thing at risk is $15, you have to draw a line somewhere.
But if you’re being asked to do a wire transfer, validate the details, as an example.
DUCK. Absolutely.
DAVID. Use reputable comparative sources.
Don’t just look at the details on the fake invoice that’s asking for money as you enter them into the system.
That’s not how to do it.
So write your processes in a way that you validate using reputable external sources.
That’s a very flexible thing to say.
Have approvals processes that also validate, maybe using alternative comparative sources.
That’s another thing that you can do, which is to say, OK, if you had the wire transfer details for this vendor, and they’re normally in Omaha, Nebraska, and they’re at such and such a bank, and then you approve that because all of that looks good, and your secondary approval comes through and says, “Oh, actually, I think these people are in Malaysia.”
Well, someone’s wrong now.
And so, let’s investigate which of those is either fraudulent or simply inaccurate.
I mean, it may not be malicious… but the point is that people with different comparative sources, people with different sensibilities coming into a situation in a different context, absolutely can provide differing perspectives, which could save you from a real blunder.
DUCK. You need to think beyond just the invoices and the wire transfer requests themselves, don’t you?
You need to think, “Is this associated with a wire transfer? Is this associated with a transfer of funds?”
DAVID. Right.
DUCK. The obvious trick that the business email compromise criminals quickly learned is, if everyone’s looking out for fake invoices, don’t ask somebody to pay an invoice that isn’t actually in their system.
Ask them to change the bank account on record for a legitimate customer, so that when a legitimate invoice is paid, the money goes to the wrong place.
But the ultimate result is funds transfer, and that should always give rise to a second opinion, shouldn’t it?
DAVID. Yes.
There should be guardrails on process, but ultimately the guardrails on process fade into the background.
Those guardrails are things like, “How does TOTP work?”
“Do you expect the use of passkeys?”
“Are password resets instantaneous, or do they have a little bit of pain around them?”
I’m more concerned about how you, as a customer success representative, or you, as a user of a system… how you would detect some kind of malicious activity.
How could you detect something like social engineering, or how do you detect something like social engineering in the context of a phishing message, or a fake invoice scheme, or an attorney impersonation fraud?
And the answer really is the preponderance of concern that we use so well in the context of insider threat.
You have to think through what’s being asked of you; think through who’s asking it; how they’re asking it; is it urgent?
No one thing off the preponderance of concern list is enough to say, “Aha, this person is malicious.”
But any five things…
I just always encourage people to think that way instead of thinking too specifically about the technicalities of an exploit.
DUCK. So, David, what advice would you give people to make themselves more resilient against the kind of social engineering criminals who have what you might call a longer game in mind?
What about the crooks who go out of their way to befriend you, or to convince you that they’re legitimate in longer-term ways?
Such as by joining in your project on GitHub and appearing to be helpful, or seeking you out on a dating site.
How do you deal with that sort of threat that could put you, or your friends and family, or your employer, in harm’s way, perhaps in days or weeks or months?
DAVID. Well, there are a few things.
It does depend on the nature of the threat or what’s being threatened.
Many of the longer-term threats are using some kind of a hook, like life crisis, or addiction, or blackmail.
DUCK. Or, “Hey, I know we met on a dating site and we found we don’t really have that much in common romantically, but are you interested in cryptocurrency? Are you interested in my investment scheme?”
It should be obvious that you’ve been fooled, but it’s not so unreasonable just to answer questions like that and allow yourself to be led along, because it doesn’t feel like that’s what’s happening to you.
DAVID. No, it’s not unreasonable at all, but there are things you can do to protect yourself.
One of the measures, and this is going to sound ridiculous because it is not even related to cybersecurity, but it is absolutely related to social engineering and social interaction…
If you’re doing something shady, and someone else knows about it, that’s a hook for them.
That’s potentially something that they can hold over your head, whether it’s in the form of blackmail, or potential disclosure to your employer, or whatnot, and it’s a common playbook for espionage agencies the world round.
Create a problem that only they know about, that you’re going to want to keep secret, and then threaten you with it.
So watch out for that kind of situation.
What really would be best is social interaction, in fact, which is no different than asking for a second opinion before you do a wire transfer.
If you think you’re on a dating site and you’re being pig-butchered – that is one of the terms…
If it’s a truly long game where someone is engaging with you, don’t be secretive about it.
DUCK. Yes, and to be clear, that pig-butchering name, which I don’t really like because it kind of sounds like it’s victim blaming, that is the name that the criminals came up with themselves.
That is what they think of their victims – they are almost literally thinking of leading you to the slaughter.
They’re not intending to kill you, but they are intending to take you for as much of your money as they possibly can.
DAVID. Yes, and if you think about it, you know, defense in that case…
…it can’t rest entirely upon being social, but it can be social in nature.
Make sure you’ve met this person.
Make sure that maybe even your friends have met this person; get a second opinion.
I’m not proposing that you bring all of your friends into your dating life and the travails thereof.
It’s more the realization that part of the scheme is predicated upon you being secretive or wanting to keep what’s going on a secret.
And so that’s a really important thing to keep in mind.
DUCK. So what about situations which seem to be increasingly common in, as you say, the pig-butchering type scams, the financial scams?
And that is where friends and family or people you think you can trust have already been turned against you by the criminals.
Such as them saying, “Look, you’re getting in early on this investment plan. Please don’t let your family know or your friends know because they’ll all want in and we only have so many slots. If you let them in, it’ll dilute the funds, etc, etc.”
So it sounds a little bit selfish, but also as though there’s a legitimate explanation.
Is that something you can usefully defend against?
It doesn’t sound as though there’s a “More tools, more tools! Buy my technological solution!” that can fix that.
DAVID. Well, yes…
If a marketer tells you they’ve got tools to fix that problem, they’re just selling you another kind of scheme.
DUCK. [LOUD LAUGHTER] Well said!
DAVID. [LAUGHTER] Yes, I mean, it’s unfortunately true.
There are plenty of tools that simply are not effective.
I do think that a situation like that is also mitigated by a social defense.
If someone tells you not to tell your friends about something, or someone tells you not to tell your family about something, that to me alone is suspicious.
That’s weird.
DUCK. Absolutely, yes.
DAVID. And so urgency, confidentiality… these are very, very common tools of criminals to develop a sense of action, to sort-of develop the relationship that they have with you toward the action they want you to perform.
DUCK. So, in other words, you need to ask yourself if they’re expecting you, if you like, to change your character…
DAVID. Yes.
DUCK. You need to ask yourself, “Is that because there’s actually something wrong with me?”
Or is it that it is very much in their interest for me to start behaving in a different way?
DAVID. Exactly, exactly!
That’s a social question – that’s not a technical question.
And so, in the context of investments, you know, I’ve worked for publicly traded companies and been privy to information that is considered a secret until released, which means I can’t trade that stock; I can’t divulge that information.
That’s a legitimate reason.
That’s backed up by the SEC in the United States.
DUCK. Yes.
DAVID. If you need to know why you shouldn’t, or the terms on which you shouldn’t, be giving away information in a publicly traded company, well, there’s a website for that.
And it’s https://sec.gov.
DUCK. But in what is a more social type of environment, none of those rules or reasons apply.
And I think a lot of people under those circumstances do find it quite hard to say no, particularly when they’re not face-to-face with somebody.
DAVID. Well, then get face-to-face with that person!
If you’re giving them an amount of money that is relevant to you, I hope you’ve made the effort to meet them, at least.
DUCK. Yes!
And if you think, “Golly, I’m too scared to meet them,” then maybe you just answered your own question. [LAUGHTER]
DAVID. Yes!
One hundred percent – sometimes you can self-diagnose these things.
But other people absolutely can, because they’re coming out of context.
They don’t have the same gullibility that you had, maybe, that has gotten you this far.
Really, all I’m saying is: Social defense is legitimate.
It is frequently not addressed.
Marketers of tools would rather you not realize that the most powerful defense you probably have is other people, and reasonably well-established processes, and comparative metrics.
Those things alone will make a ton of socially-based attacks utterly nonsensical to you.
You’ll see right through them, because other people will say, “Hey, that doesn’t make any sense.”
Or you’ll be able to call a request for confidentiality out for what it is, which is, “BS! That’s not something that your attacker can demand of you.”
DUCK. So, David, if we can just move away, if you like, from the business angle…
What about the more personal side of it, where you’re a person who’s pretty good at resisting social engineering, because you know a bit about cybersecurity, and you care about it.
What do you recommend for trying to look out for your friends and family members that you think might be vulnerable?
If we take as a given that “friends don’t let friends get scammed,” how do you actually go about helping make that real?
DAVID. If you’re responsible, make sure they have anti-virus, something basic.
Make sure they have an email account with a second factor.
Make sure their bank has a second factor.
Many of these things are by regulation nowadays, but sometimes not.
And it is worth having that discussion with them.
Have a discussion with them about the storage of secrets; about what constitutes a secret: a password, a bank account number, or whatnot.
And then, I honestly think most importantly, ensure that they don’t feel socially isolated.
DUCK. Yes.
DAVID. Which is really good advice for people in general.
Give them a call every now and then.
But also make sure that they know that if they text you because “Apple Computer” has just emailed them, and wants to have a support call with them…
Make sure that they know that they can shoot that over to you as a screenshot, and be like, “Hey, is this real?”
You’re not just going to ignore them, and then they’re going to take that call, and now their computer has been remote-access hacked.
The social aspect to it is probably the most important thing you can possibly do, because these schemes will continue to evolve.
But that’s OK, because they’re not going to take your brain away from you.
And if you have a relative who is in a cognitive state that is incompatible with the internet…
I’m not making fun of anybody that has dementia or anything like that, but there are some people that really should not be custodians of their own data.
And that’s another important social control.
If you have someone in your family who is in that state, maybe you should have a discussion with them.
And that’s a very difficult discussion…
DUCK. Yes, it is.
DAVID. Talk about what assets they still control – actively deal with these things.
That’s part of being a social animal, and a member of a family.
So I think that’s actually the most important defense.
Because all the technical stuff?
That can be breached, and it’s just sort of a puzzle waiting to be solved by some criminal somewhere.
DUCK. So you need to make sure that anybody that you think is vulnerable, or indeed any of your friends and family, that you empower and encourage them that if they’re not 100% sure, they don’t have to engage with the person at the other end at all.
They can simply cut the communication dead, hang up the call, don’t ask for explanations.
And then, make sure that no matter how trying it may seem at times, that you are there for them if they come to you saying, “Look, what should I do about this?”
DAVID. Right.
Exactly.
Make sure that you really actually are the person that they can call.
And that’s one of the best defenses there is – it’s 2025 and that defense is 35,000 years old.
I can’t recommend anything better than that unilaterally, because any other technical measure is going to be breached at some point.
DUCK. Absolutely.
And the classic example is some criminal calls you up and persuades you to give them remote access to your computer…
…and you invite them in, without using any bogus tools, without using any malware.
Basically, they’re just persuading you to do something that you will really wish later you shouldn’t have done.
DAVID. Yes.
DUCK. So David, I’m conscious of time.
So I would like to finish by trying out three short aides-mémoires, if you like, that will help you.
Let me know what you think…
DAVID. OK.
DUCK. So the first of all, I’ve got this in two flavors…
One is: If in doubt, don’t give it out.
And the flip side of that coin is: Be aware before you share.
A little thought goes an awful long way.
DAVID. Yes.
It’s a little corny.
But at the end of the day, that is applicable in almost every cyberthreat context.
DUCK. Yes.
DAVID. You can think about that in almost every context, and maybe it won’t save you…
…but it’s a step in the right direction if you know nothing else.
DUCK. Thank you, David. [LAUGHS]
I was hoping for something a little better than, “It may sound a bit corny.”
DAVID. Well, it does. [LAUGHTER]
DUCK. Another way of putting that is: React in haste, repent at leisure.
DAVID. Yes.
Yes, absolutely. [LAUGHS]
I like that one better!
DUCK. The second tip that we’ve already mentioned, where you said, “Well, you have to be careful about making this into such a blanket rule that becomes over-complicated for things that might not matter”…
…that is: Try to make time for a second opinion.
DAVID. Yes.
DUCK. Don’t always rush in to do things yourself, because somebody else who hasn’t been buttered up yet by the person who’s been talking to you might bring just enough extra cynicism to spot something that you have perhaps willingly overlooked.
DAVID. Yes.
These criminals are playing on common themes of haste, and pride, and urgency, you know, confidentiality.
They’re playing on these common themes, and just being aware of that can sometimes help you take a step back from what’s being asked and say, “This is the most basic threat in the book.”
DUCK. And they won’t use exactly the same playbook with every person they’re trying to convince, will they?
DAVID. No, no.
DUCK. So, some people they will realize are personable, and obviously would like to be helpful, so they’ll go down that route.
Other people they might feel are fearful in some way – maybe they’ve been in trouble before for being rude to customers, so the crooks might try and pressurize them a little bit.
There isn’t one guideline that you can apply, so asking somebody else, whom you actually know and trust, really can help an awful lot.
And the third one, which you mentioned earlier on, is: Never rely on the contact details that the other person gave to you, even if you genuinely think it is your bank, or a person from Microsoft.
DAVID. And I would say that there’s a corollary to this one, which is when you are in a system like that, where you’re forced to reach out to somebody, or they’re reaching out to you, the measure of caution there is to be aware of the details that you’re confirming or divulging to them.
DUCK. Yes.
DAVID. If you call your bank and they say, “OK, I’d like you to confirm your identity,” that’s not unreasonable.
That’s a very common thing.
But they’re not going to have you read out your entire social security number.
DUCK. And they’re not going to say, “What is the current magic code in your authentication app?”
DAVID. Exactly.
DUCK. Or if they do, you’d really need to find another bank. [LAUGHS]
DAVID. Well, yes. [LAUGHTER]
And so, you really need to be aware of what you’ve divulged.
You need kind of two registers in your mind.
You need a register of the things that they’ve done to confirm their identity.
They always will do something to confirm their identity, and that might be as simple as you only gave them four digits of the account number, and they read you more of it.
But also think about what you’re giving them.
Are you giving them details that are unilaterally sufficient to get access to your account?
Or are you giving them just details that confirm to them, because they already know these things, that you are the person that you say you are?
And those two are very different things, and they’re things that people don’t think about that hard when they’re on a phone call with someone, unfortunately.
DUCK. And if I can add a fourth of three, and this is perhaps the most specific advice that I want to try out on you, David…
And that is: If you are motivated to do something that you are unsure of security-wise on the basis of fear, you almost certainly should not do it.
DAVID. Yes, that one’s simple and easy.
The more afraid you are, or the more afraid you’re being made to feel, the less you should be doing whatever it is you’re doing, particularly if it’s of value to someone else.
DUCK. Excellent.
David, I think that’s a great place on which to end.
I think we’ve covered an awful lot in this episode.
It’s rather non-technical, but that’s because technology alone can’t solve a social problem, as the name “social engineering” suggests.
Thanks to everybody who tuned in and listened.
And thanks to you, David, for your very thoughtful insights.
Please like us and share us on social media.
If you are not yet following @SolCyber on LinkedIn, please do!
Follow @SolCyber on LinkedIn keep up with the delightfully useful Amos The Armadillo’s Almanac series.
Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way.
Because every week, SolCyber’s lovable mascot, Amos the Armadillo, publishes a little graphic that gives you one or two short, easy-to-remember sentences that explain and give you advice about problems of the sort that we’ve discussed here.
Until next time, stay secure.
Catch up now, or subscribe to find out about new episodes as soon as they come out. Find us on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you use your own audio app.
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
