Technology Practice Tips: Social Engineering (Transcript)

This is a transcript of a podcast discussing Social Engineering.

Speaker key:    PB: Phil Brown     DW:  David Whelan

PB: Hi, it's Phil Brown and I'm here with David Whelan and today we're going to talk about social engineering.

DW:  Oh, wait I thought I we were talking about an engineering social life, so engineers getting together and stuff.

PB: No, we're going to talk about more how this might affect lawyers and paralegals.

DW:  Okay. So, social engineering is maybe not a term you've heard of, but you will have heard of what it is. Social engineering involves people, maybe not even using technology, maybe just using telephones, to use your emotions and your normal inclinations to be helpful and share in order to pry out information from you like your credit card number, like your passwords, like information that you wouldn’t otherwise divulge. And so the social part is really the human interaction that leverages that information out of you.

PB: And it could be as simple as someone arriving at your office with a stack of 10 pizzas for your staff and saying that they're there and everyone's supposed to gather in the conference room. And they think it's a party and everyone goes into the conference room including the receptionist to get their pizza. And the person who delivered the pizzas now walks over and plugs into their server and could possibly insert some sort of Malware or Trojan or whatever through one of the USB ports and it's essentially just been a two minute interruption of service.

DW:  Yeah, it's a funny area because there's so many different things that go on and you'll have heard of phishing, you may have heard of vishing and smishing, farming, water holing. They're all sorts of interesting terms that pop up in the media. But really all of these fall under social engineering. 

PB: And it all has to do with our need to see what's in that email or our need to respond to something. Or someone has told us something's wrong with our accounts so we need to figure out what that is quickly. 

DW:  And some of it's very random. Phishing for example, spelled p-h-i-s-h tends to be emails that come in but they're sent to thousands and thousands of people on the hope that someone will see “Oh my bank account has been breached and I need to click through.” And when they click on that link they go to a site that either downloads malware to their computer and infects them, or they are prompted to put in information like their user name and their password for their bank but they're not actually on the bank's site. 

That is escalated with things like water-holing or spear-fishing where the email isn’t sent to lots of different people it's sent to very specific people. And so, the email feels even more authentic because it's true to the sort of email that that person would expect to get. 

I know recently I've been receiving a lot of emails that have to do with court filings. And so, inside the email there's a document or it looks like it's supposed to be a document that if I clicked it, would appeal to me. So, they are varying levels of tailoring but they're all meant to have you do something to give up some piece of information.

PB: And vishing, although we both don’t like that term, has become more common because of things like VOIP, which is the voice over internet protocol system of telephony.

DW:  There have been some terrible examples this year, it's 2015, in the U.K. two lawyers have gotten in trouble and suffered discipline when they received a phone call from what they thought was their bank, they then took actions based on that phone call. Often, what would appear to be legitimate, but it ended up moving huge sums of money in their trust accounts from one place to another. And, unfortunately, the other place was controlled by the scammers. And so, they were then able to remove all of the money. So, it really is, even on phones where there's no technology involved, it's a matter of using common sense and really thinking about what kind of information am I giving up or what am I doing based on requests from someone who I actually can't see.

PB: And I think in one of the English examples there's one with a loss of over £700,000.

DW:  Right, yeah, it was really huge numbers. 

PB: And now we need to look at it from the perspective of when you get that email and this is another thing that's common with VOIP, you might have a voicemail, but you're able to access it through your computer and click on that voicemail file that, WAV file to listen to the voicemail that's been left for you.

DW:  Right, you should really be very cautious with anything that looks like it's sending you a link that is taking somewhere else, whether to listen to a voicemail message or to fill out a form or an attachment that looks like it should be something that you should download and listen to or open. 

Go through your same process that you would normally do, even if it's a voicemail and even if you're in a hurry, rather than double clicking on that file “right click” on it and save it as an attachment to your drive and run your virus checker on it because the emails that are coming in are extremely good at - I mean we're well beyond the days when you had typos or people who are addressing you as an Nigerian Prince, although I do sometimes get requests for barristers from the U.K, which I think is quite funny. But the emails have gotten very sophisticated and again, if it's been tailored to you it's going to be something that's going to be very difficult for you to watch. So, without becoming too paranoid, you do really need to watch every email that comes in.

PB: And you'll get a lot of phone calls now from people claiming to be - the popular one this year was the Revenue Canada call or the CRA call saying there was a warrant out for your arrest and if you paid a certain amount of money by such and such a time, which you could do immediately of course by giving up a few of your credit card numbers. And it was usually a small amount. It was a few hundred dollars or a thousand dollars and if you paid that amount immediately that would be the end of the warrant you could go on your way. I mean CRA doesn’t call anyone, but, again, it's that sort of panic response you have when someone calls and says, “We are an authority and you need to deal with this now.” And that's what plays into that social engineering aspect.

DW:  Another story that I heard recently is really interesting. Someone who pretends to be your tech support and just randomly calls people at the office and says you had a tech support call, I'm just returning the call and trying to help. And they'll often get someone who doesn’t realize that maybe, you know, they hadn't put in a call very recently or they just had a question and so they start to talk to this person and they'll give up their username and then maybe they'll give up their password and thinking that they're dealing with a co-worker. 

And, of course, when you want to get along with your co-workers like Phil and I do, you're willing to give up information that you might not otherwise do. And if that person's now outside the organization in our modern environments where they're often employee portables that you can lock into from remotely or remote networks that you can log into remotely. A username and a password from inside a corporation can be very valuable.

PB: And it's very easy, not to pick on VOIP, but with a modem and a magic box, very quickly - I mean I received phone calls from my own phone number while I've been on my own phone. So, it's obviously not me calling me. But they can spoof any phone number, they can spoof any organization. So, you'll get a call that purports to be from the Royal Bank, it's not necessarily from the Royal Bank and you still need to zealously guard your information and not just give it up to someone on the phone because they purport to be from a particular agency. None of these agencies and the banks, even the cable companies, none of them will call you up and start asking for your personal information.

DW:  And that's a good point. Both you, and the staff that you train, so that they are as aware as you are about how to deal with these problems should never give up something like a password over the phone or even over email. Those are just not the sorts of things anyone ever will ask for. They'll always reset it if they have a password issue so that they can go and get into your account that way. 

But that is just the sort of normal response where someone calls up and is it's a real emergency I've got to get my password or I'm calling for somebody who you know is out of the office and I need to get their password. That's the time when you slow down and you hang up the phone or delete the email and you don’t send that kind of information. You find a different way to accommodate their request or to confirm really that the person who is on the other end of the phone or email is actually the legitimate person.

PB: And another aspect of this that lawyers were seeing in a different form earlier this year and over the last couple of years have been with regard to collection. And they're getting certified cheques sent to them by someone who's paying off this collection and the instruction will be to put it through their trust account immediately and take a piece of it for their fees and so on. And this certified cheque is often stolen. But quite often the number on that cheque that the lawyer would call to confirm the account and confirm the amounts of the payor or the payee and so on, those would be added to the cheque after the cheque had been stolen. 

And you're really just calling the fraudsters to confirm that the funds are there and to confirm that everything's fine when you should be picking up the phone and looking for and looking on your computer to find out who's behind this? What's their main phone number and let me go through it that way to confirm things or deal with your local banker. You shouldn’t just accept things at face value because it's printed on the cheque. 

DW: Yeah, particularly if you're talking - the case of the U.K solicitor who moved almost a million Canadian, that's the time when you're dealing with large sums that you really need to slow down and take as many precautions as you can. If you're getting emails that come in and say your account's been locked or your credit card's been denied or whatever, please click on this link and change it, then instead of clicking on that link go to your bank's website by typing it in your web browser and making sure you're going to the place you think you're going and then attempting to log in and attempting to see if that message is actually under your account. Because it's much safer and it's so easy to click on the link and go somewhere and think that you've arrived and it's just a false facsimile of the place that you thought you were.

PB: And that's - I mean is really important I think to not click on attachments if you get attachments from someone you weren’t expecting or this is different, as David said, that plea for money from a foreign country, this is they know human behaviour, they're working on that human behaviour, they expect you to click on something and if you click on something and maybe it looks like nothing happens on your computer and gee, I guess that's a bad file. But what's really happened is a Trojan or a worm has been downloaded onto your computer that will activate later and you might be sending out all your clients’ information or banking information back to someone else. Or it may just be ransom and your computer will be encrypted and you'll be notified by email saying “Oh, by the way, $500 U.S and we'll decrypt your computer, otherwise we'll delete everything in a week.”

DW: So, hopefully that's made some sense to you. And if you have any additional questions, please just send four million dollars in unmarked cash to the Great Library and I will back to you as soon as I can.

PB: And that's our look at social engineering. Thanks, David.

DW: Thanks, Phil.