Our lives are featured on social media — photos of our family, personal information on profiles, and status updates on display for all to see, even those with malicious intentions. Just a few pieces of personal information could leave you and your accounts vulnerable due to social engineering manipulation.
What is Social Engineering?
Social engineering is an art of manipulating people into divulging confidential information for the purpose of information gathering, fraud, or system access.
According to CBC News, social engineering is the new method of choice for hackers, here’s how it works:
Social Engineering is the New Method of Choice for Hackers
IT executive, Erynn Tomlinson, lost $30,000 worth of cryptocurrency says ‘every Canadian is at risk’
Is your name and your phone number all it takes for a hacker to take over your cellphone account?
Marketplace‘s latest investigation has found that just a few pieces of personal information could leave you and your accounts vulnerable.
It happened to Erynn Tomlinson. The former cryptocurrency executive lost about $30,000 in cryptocurrency after hackers used a few of her personal details during interactions with Rogers customer service representatives to ultimately gain access to her account.
“I don’t know how to describe it. I was sort of in shock at the whole thing,” said Tomlinson about realizing hackers stole savings she was planning on using for a mortgage.
Tomlinson is a victim of the latest type of hack plaguing the telecommunications industry: it’s called a SIM swap, and hackers use what’s known as social engineering to make it happen.
Social engineering fraud typically happens through email, phone, or text — or in Tomlinson’s case, through online chat windows. Hackers use charm and persuasion to convince a customer service representative they are actually the account holder.
If At First You Don’t Succeed, Hack Again
The hackers might have a few pieces of publicly available personal information: a person’s name, email address, birthdate, postal code or phone number.
Hackers use some of those details to try to sweet talk a representative into handing over more information and ultimately gain access to an account.
“The attackers are very sophisticated. In this case, Rogers didn’t provide any friction for them and made it far too easy,” Tomlinson said of her experience.
As far as Tomlinson can tell, the hackers had only her name and her phone number. Over a series of eight different online chats, the hackers managed to obtain her date of birth, email address, account number, the last four digits of her credit card, and other details about her account.
Armed with this information, the hacker convinced a Rogers rep to activate a new SIM card linked to Tomlinson’s account, which could then be placed into a phone in their possession. A SIM card is a chip used to identify and authenticate a subscriber to a service provider.
Once the hackers had executed the SIM swap, they were able to use their own phone to gain access to a number of Tomlinson’s sensitive accounts, including those tied to her finances.
Tomlinson used two-factor authentication on her sensitive accounts, an extra security step that sends a message to your cellphone before granting access. Tomlinson believes the SIM swap allowed the hackers to divert those incoming messages to a new device, effectively bypassing her security measures.
She first became aware something was wrong when her cellphone stopped working. After stopping by a nearby café to use the Wi-Fi, she realized one of her financial accounts was at zero. She rushed home and logged onto her other accounts, and also saw them being drained.
In total, the hackers managed to steal the equivalent of $30,000 in cryptocurrency.
“I hope this is a bit more of an extreme case,” she said. “But I think … every Canadian is at risk right now.”
Social Engineering on the Rise
Tomlinson’s losses may sound extreme, but companies around the world say social engineering attacks are on the rise.
Canada’s federal privacy commissioner now requires all companies to report any security or privacy breaches. Since November 2018, there have been more than a dozen reports of social-engineering breaches in this country’s telecommunications sector alone.
In an email, the Office of the Privacy Commissioner told Marketplace the trend “clearly raises concerns.”
The emergence of social engineering fraud comes as no surprise to ethical hacker and cybersecurity expert Joshua Crumbaugh.
“Social engineering’s been a popular thing, I mean, since the beginning of time — we just gave it a new term. It’s the same thing that grifters and con men have been doing forever … they’re just exploiting basic human weaknesses or vulnerabilities.”
It’s human nature to want to help and avoid conflict, which is why Crumbaugh says the key to a successful social engineering hack depends on who picks up the other line.
Chances are if one person is not willing to help, the next person likely is, he says.
“It’s just psychology. So if you understand how somebody’s going to react to something, you can easily manipulate somebody into giving you information or access to things that maybe they shouldn’t.”
Agro, C. Grundig, T. & Vellanie, N. (2019). Social engineering is the new method of choice for hackers. Here’s how it works. CBC News.