Being conned out of cash is unfortunately not a new concept. Scam artists have been tricking people out of their hard earned cash for centuries, but it’s only within the last 10 years or so that we have seen this shift to the internet. Not only is this crime still happening, but the speed, convenience and anonymity of the internet has made it stronger.
Scams that use the internet, known as cyber enabled crime, use the same methods as before – the art of manipulation. Social engineering is the latest phrase to cause intrigue. It is a powerful tool offering the ability to manipulate people using cyber-crime and psychology.
“Cyber-psychology is the study of the human mind and its behaviour in the context of human interaction and communication of both man and machine, further expanding its bounds with the culture of computers and virtual reality that take place on the Internet” Wikipedia
When it comes to conning someone on the internet, it can be frightfully simple. Techniques such as creating a duplicate site that looks genuine can let the guard down of a victim who then intentionally types in sensitive information such as card details or a password.
More targeted scams such as ‘spear phishing’ requires personal information to target victims without suspicion. Using information found on the internet, scammers are able to act as a friend or a familiar entity and send a convincing but fraudulent message to their target, manipulating their way in.
Real-world hustlers have proved to be excellent psychologists. They have identified these patterns and principles before anyone else. These behavioural patterns are not just ideal opportunities for scams and criminal activity, but also pose security weaknesses of “the human element”. This highlights a potential risk for any system, especially for businesses.
Distraction is at the heart of many fraud scenarios and is a fundamental ingredient of most magic performances. There is a theory among conjurors that the idea of being “one ahead” is the cornerstone of magic and that everything else is merely a variation of it. Street cons are referred to as ‘misdirection’, but in fact, a better term could possibly be direction. The audience will always follow the thing that is offering the most interest – just like in magic. If their focus wonders then the illusion is lost. This is exactly how distraction scams work and these can be delivered using the internet with ease.
Even very private and suspicious people will let their guard down without thinking sometimes… Just think… if a TV production company researcher emailed you and said: “Hi! We love what you are doing and we need someone like you to be part of a documentary we are making for ITV, are you interested?” Boom! Your guard is down whilst you think about what you will wear on national telly. The next minute, you’re downloading a “declaration form” which turns out to being ransomware extorting your company for a couple of BitCoin!
I was asked in 2017 to see if I could hack into an email address (ethically before you all rant!!) at a local Digital Innovation Show on stage in Bournemouth. I thought it would be fun to start by engineering my target’s passwords by trying my luck on his personal information such as his daughters name and football team (which by the look of his face, I am sure it was the football team!). Anyway, I didn’t have too much time to play with alternatives such as “.1” at the end of them so I headed over to his “security questions” by ‘forgetting his password’ which included name his first school and name the make and model of his first car. As you can imagine, these weren’t too difficult to find. In fact, I came out and asked the guy 6 weeks prior what his first car was knowing that I would need it on stage.
So, back at the show, within minutes of entering these answers, I was given access to change his password to something brand new which would give me full control. I didn’t fill in this entry as that would be committing a computer misuse act but being offered this opportunity in front of him made him worry. A lot. Funnily enough, he actually told me afterwards that he thought I had in fact got hold of his Google search history so was relieved haha!!
The psychology behind a cyber-attack reverts back to simplicities. Reduce the suspicion and a hacker will be in before you have had a chance to make your morning coffee. Social engineering proves this in multiple ways on YouTube and you will be surprised at how easy it is. Quite terrifying when you look back.
For a more detailed whitepaper on this head over to our ESET site