Anyone who has had the pleasure of seeing social engineer and people hacker Jenny Radcliffe speak will know what I mean when I say that she can see beyond the conventional eye.
Sitting with her at a recent conference where she spoke in front of the charity security community, I wanted to get her thoughts on what the modern IT professional can do to better spot that attacker both inside and outside of the office.
We’ll get on to insider threats later, but firstly I wanted to get an understanding of the common characteristics of an attacker from outside the organisation. Now an unseen attacker is obviously hard to spot and get a profile of, but Jenny said that there are some common traits of a scammer on the phone that can be more straight forward.
“There are a few things that you might be suspicious of that could give away a less than genuine person, though, it only potentially gives them away,” she said. “It is not a case of A equals B, but there a few things I would tell people to look out for,”
On the phone, Jenny said, there are a number of common traits that might give away someone deliberately trying to get targeted information on your organisation. Firstly, she said that on a phone call, if someone claims to be in a hurry and is needing help, and needs to talk to you, and only you, and they need the information right now, that can be suspicious.
She said: “When you are genuinely in need of assistance, usually you take anyone’s help, but a social engineer will have specifically targeted that person, so may insist on talking to that person, and that person alone, looking for information that only they are likely to know”
So, the person wanting specifically YOUR help right there and then is worth looking out for. The second point that Jenny made is that a social engineer is likely to get angry rather than apologetic. “A genuine person is likely to apologise and be quite self effacing, while a social engineer might name the boss and make threats, dropping names to put the person under pressure. That is a big flag for me,” she said.
As we have detailed in the past, spear phishers will do their research into the target organisation and identify employees who may be easy to get to and might help them build the borader picture of a company. In the case of this type of attack, the social engineer may have identified their target and is looking to use that individual to gather any information about the organisation they can find, so that they can find a way to use it later.
“On a call, a social engineer will be curious, nosy, let you speak a lot,” she said. “If you realise that you have been on a call for 20 minutes and the other person hardly spoke and let you do all the talking, then that can also be a flag.” Jenny admitted that this not a catch-all scenario, as some people are naturally curious, but if the person on the phone is persistent about your details, and those of your company, but reticient and evasive about details of their own, this is also suspicious.
“There will be a basic story that they are working with, however, behind those basics it is likely to be pretty patchy, thin, and lacking in detail. Lies of this nature often lack depth and don’t “fly” under closer or persistent questioning. There may be a lack of detail or emotion behind the story as it is a construct, rather than the truth.”
Jenny concluded by saying that these elements of an attack from the outside: in a hurry; getting angry too quickly; curiousness on any details; and reticence about their own details, are common, but it can vary from case to case as it depends on the person.
She said: “If I talk about coffee preferences, you wouldn’t show much interest as you probably have no real reason to remember that information, no motivation to work with it. Trivial information may not interest a genuine person very much, but a social engineer wants that information and will work hard to find out all the details.”
With phone scams still a problem and members of the public often caught out all too easily, this advice could a long way to ensuring your staff are better prepared in the face of the unseen enemy.
Tomorrow Jenny talks about the threat inside the organisation, and how to spot them.
Jenny Radcliffe was talking to Dan Raywood