Consumer - IT reads like the script of a movie. A stranger tries to “friend” you on Facebook, tells you that she knows where you live, where you work, the names of your brother and mother - and even your ID number. Alarmed, you take screen shots of the conversation and her profile - and block her.
But then you notice one of her pictures features a shady underworld character, who is known to be involved in drugs, prostitution and hit men - and you are chilled to the bone.
What would such a person want with an engineer?
It’s enough to get anyone in a sweat. And for George (surname withheld) from Joburg, it was more than a little unsettling.
“I’m thinking that my account has been hacked. I heard through friends that he (the underworld figure) is involved in the criminal underworld, so I don’t want to associate myself with people like that and I’m not sure what they are capable of. I believe they are very dangerous and I don’t want anything to do with it or hear of it.”
Paul Ducklin, from the British security company Sophos, says he has not heard of such hacks before but that “someone may be chancing their arm”.
“It could be the result of a data breach. But your parents are your parents, your kids are your kids and your ID number doesn’t change. Just because someone knows it, doesn’t mean they know anything about you,” he says.
The problem is that accessing such personal data is “sadly, surprisingly easy”, which is why Ducklin cautions about giving out personal information over the telephone - and that includes to call centres. He said people handed over their information too willingly and there was always a risk that someone working at the call centre could be crooked.
Then there is social media. People give away intimate details of their lives and don’t consider the consequences, posting pictures and updates on Facebook, “checking in” and tagging friends - all of which can tell hackers who your friends and family are, what your habits are - even down to where you were on a Saturday, with whom and what you got up to.
“So, a criminal can piece together a narrative. They might say to you, ‘We met on such and such a night at a particular venue, with these people’ and you won’t remember them, but they have enough information on you to make you think that it is a possibility - and they build up trust.”
He says many people tell their life stories on social media, which makes them easy targets.
“Hacking is now more targeted than before - they might zoom in on one victim and go after them in a big way.”
Cybercriminals use social engineering as a tactic to lure and manipulate people into divulging confidential or personal information for financial gain.
Most cyberattacks contain some kind of social engineering, whether it is phishing, vishing, SMSishing, 419, pharming, “honey lures” and ransomware.
Cybersecurity and anti-virus provider Kaspersky notes that phishing emails try to convince users they are from legitimate sources, “in the hope of procuring even a small bit of personal or company data. Emails that contain virus-filled attachments, meanwhile, often purport to be from trusted contacts or offer media content that seems innocuous, such as ‘funny’ or ‘cute’ videos”.
“It’s important to beware of social engineering as a means of confusion. Many employees and consumers don’t realise that with only a few pieces of information - your name, date of birth or address - hackers can gain access to multiple networks by masquerading as legitimate users to IT support personnel. From there, it’s a simple matter to reset passwords and gain almost unlimited access.”
Kaspersky notes that protection against social engineering starts with education - users must be trained to never click on suspicious links and always guard their log-in credentials, even at the office or at home. Because if the hackers’ efforts are successful, the likely result is a malware infection, which is why it’s vital to use a quality antivirus program to stop and track Trojans and other bots.
Ducklin adds that the kind of information collected is so personal that it makes it seem so much more believable.
“If you know where someone went to school and present some details of their lives, it’s so much easier to hook them. They find out what you look like, where you went to school, who your best friends were or are, who your worst enemies are - they can claim an apparent insider intimacy.”
He believes banks and other organisations perpetuate the idea that customers’ information is secret, but they ask customers to identify themselves by things that are hard to change - ID numbers, surnames or maiden names, workplaces, telephone numbers, and email addresses.
“But the stereotypical information doesn’t apply any longer, so don’t be too scared or too trusting. Cybercriminals are able to piece together information from social media and data breaches - they use social engineering to get inside your head and use your data as currency.”