#SPYHACK: CIA Tactics to Counter Social Engineering

Greetings Everyday Spy,

Welcome to your newest #SpyHACK!

I received some exciting news this week.

A generous man in Nigeria offered to give me $2 million if I helped him transfer his money from Nigeria to the US using my bank account. He said he trusted me because my name meant ‘good heart’ in his tribal language. I just had to click on the link and submit my banking details and I’d be a millionaire before the weekend.

Talk about good fortune!

But a few days later, I got some bad news.

Someone had caught me gambling online using my child’s college savings account. They told me they would keep my secret if I clicked on a link and subscribed to their ‘secret protection’ service. They would hide my IP address so nobody else would ever be able to see what I’m doing online.

I sure felt relieved that the same guy who caught me gambling was also willing to keep me safe!

You and I see emails like these all the time; promises, threats, and even downright ridiculousness trying to get you to click:

  • ‘Start growing your hair back today!’
  • ‘We have pictures of you cheating on your wife…’
  • ‘Watch how Brad Pitt picks up chicks’

We lovingly call these bits of digital harassment ‘email scams.’ CIA and FBI professionals call it ‘social engineering.’ Whatever phrase you use, these types of digital attacks are an everyday problem:

  • Social Engineering accounts for 90% of all international data breaches
  • 60% of Americans know at least one victim of a social engineering scam.
  • Social Engineering attacks grew by 65% from 2018-2019.

To understand social engineering, you have to understand social behavior first.

While people have predictable behaviors, those behaviors may not be what you think. 

As an example, people expect convicted felons to behave selfishly in ways that only benefit themselves. In fact, studies show that hardened criminals are better team players and have more advanced cooperation skills than university graduates. 

As another example, consider someone taking a negotiating their pay for a 1-year work contract. It would seem like common sense that a contracted employee would want a bulk payment up-front, with either decreasing or evenly distributed paychecks for the remainder of the contract. Instead, 69% of people claim that they would prefer LESS money up-front and an INCREASING payment schedule over the year.

When asked why, they responded, “It would feel like I’m doing a good job.”

Social behavior is not based on logic and reasoning – it centers around ‘instant gratification.’

‘Instant gratification’ is the act of satisfying a need you have right now. It is a fundamental human desire that runs exactly opposite to what we try to teach ourselves. And that makes it an effective tool for social engineers.

Instant gratification is often confused with ‘instant pleasure.’ The two are in fact very different.

               Instant gratification: The act of satisfying a perceived need immediately.

               Instant pleasure: Feeling pleasure immediately after making a choice or decision.

Not all instantly gratifying experiences are also instantly pleasurable. 

  • Locking your car door when you drive into a sketchy neighborhood does not bring you pleasure – but it makes you feel safe. 
  • Scolding your child for banging on your work laptop does not bring you pleasure – but it makes you feel in control.
  • Clicking on an email link that promises a free cruise does not bring you pleasure, but it gives you hope for the future.

Social Engineering is a game of odds – and the engineers know the odds are in their favor.

Let me tell you those odds:

  • 76% of businesses have reported at least one social engineering email in the past year.
  • 30% of social engineering emails get opened by the target user.
  • 15% of people who fall victim to a social engineering attack once will fall victim to a second attack.
  • 100% of social engineering victims are targeted for a second attack.

I don’t want you, your business, or your family to be a prize on some hacker’s digital mantle. 

Here is how you can counter social engineering attacks right now.

 

  • Ignore the REPLY button

Social engineers put a great deal of time into making emails look real. They can even simulate genuine email addresses using a technique called ‘Spoofing.’ A good spoof will look exactly like the real email address belonging to your spouse, your boss, or your favorite website.

No matter how real the email looks, DO NOT HIT REPLY. 

Instead, compose a totally new email and cut/paste the email address into your TO line. By pasting the email address into a new message, you bypass the spoof and can trust that the message will go to the correct person. If the address was indeed a spoof, you are not only protecting yourself from compromise but you are also highlighting to the other person that their email account has been spoofed. 

The same people you love and trust are the accounts engineers want to spoof. And attacks are especially damaging when a CEO, church elder, or trusted family member gets spoofed. 

 

  • Your secrets are yours

We all have secrets we keep that make us feel guilty. Some secrets are embarrassing, some are painful, some are just so old we don’t talk about them. But to a social engineer, secrets are the key to a powerful emotion… FEAR.

The rules of instant gratification mean that you will react instantly to protect your secrets. 

That predictable behavior give social engineers an advantage. If they can say something that triggers your fear, you will react. That is the reason you see so many emails related to sex, money, and marriage. These are areas where we all have secrets, we all have fears, and we are all vulnerable to a fear.

I made a career out of stealing secrets. 

Trust me when I tell you that secrets are difficult and expensive to discover. Social engineers do not have the resources or the talent to record your personal calls, control your laptop camera, or monitor your private messages. They are playing a game of odds, hoping that you will act out of fear when in fact your secrets are safe.

Don’t trust any email that says someone discovered your secrets. They didn’t. But if you click their button/link, they might.

 

  • ‘Throw-away’ accounts

The most important email account for an intelligence operator is a ‘throw-away’ account. This is an email account we create with a fake name and use anytime we sign-up for a new website, get a suspicious message, or suspect an email marketing scam. It’s a digital disguise that protects your real name or real email address from being discovered.

Instead of using your personal email address to shop, explore, or register online, you can use your throw-away email address. 

You can still log-in and check your throw away account, but it won’t be connected to anything important – like your real name, your contact list, or your personal email account. 

If you get scam emails in your throw-away account, that’s a GOOD thing! It means your throw-away account is working and your personal email address is protected. 

You can use your throw-away account as a test-ground to see if a newsletter or website sends you help information or just internet junkmail. And after you decide you like the newsletter, you can always go back and sign up again with your personal email address.

 

I never gave that nice Nigerian man my bank account details. 

And I opted against protecting my secret gambling habit (so secret I didn’t even know I had it!).

I respect genuine tradecraft, the stuff spies use to steal secrets that keep people safe. But I have no interest in letting social engineers waste my time with silly scare tactics.

Spies are heroes, putting their lives on the line for people who will never know their names.

Social engineers are cowards, spamming the world in the hopes that a few everyday people will click before they think.

Trust the spy – Ignore the scammers.

Godspeed, #EverydaySpy 

Author: Andrew Bustamante, Founder of www.EverydaySpy.com. Andrew is a former covert CIA Intelligence officer, decorated US Air Force Combat Veteran, and respected Fortune 500 senior advisor. Learn more from Andrew on his Podcast (The Everyday Espionage Podcast) and by following @EverydaySpy on your favorite social media platform.

1 Comment

  1. Joel I Bustamante

    September 26, 2019 at 8:47 pm

    A few weeks ago I received and e-mail with the following subject line: You Have Been Hacked.
    I opened it and and read the following ( I will just write the main points):
    1) We have all your contacts information.
    2) We recorded you watching porn and pleasuring yourself.
    3) If you don’t give us $500 in bitcoin, we will send this recording, and the porno you were watching, to all your contacts. You have two days.
    My first reaction was WTF!, exactly the reaction they were looking for. Clever bit of social engineering. But like Andy explains, after the initial reaction you have to stop and think. This is why this hack is not possible (in my case)
    a) I have an Apple Macbook pro running on OS 10.14.06 (at the time of this writing, the latest upgrade) Apple has the best built in security on it’s IOS system. I am not saying that macs can not be hacked but it’s very improbable because hacking into a Mac is expensive, time consuming and impractical.
    b) My laptop is always closed since I use an external monitor that doesn’t have a camera built in.
    In short, the was no chance I was hacked the way the hacker described.
    If you watch “Black Mirror” ,there is an episode (Shut Up And Dance) in which a young man did exactly what the hacker described (actually worst, but you have to see it), and he received the same e-mail, except the hacker showed him proof. The hacker didn’t want money, he just wanted the kid to do something for him. In the end it didn’t end well for anyone of those involved. Very scary.
    I try to keep abreast of all the latest scams. The Nigerian scam is one of the oldest, the IRS scam, the “Lower you interest on your Credit Card” scam. Take a look at this guy https://youtu.be/_QdPW8JrYzQ and have fun, but be aware and don’t fall for scams.