Thursday 23 August 2012

Social Engineering? Not on my watch



Social engineering is a method used to get confidential information through manipulation. It is usually done in order to commit fraud, gain access to a computer and is generally fueled by the incentive for money. 

Social engineers will meticulously research their target so they know exactly what to say in order to deceive you. If the target is a large company, they will pretend to be an employee and try to deceive a “co-worker” into allowing them access to files or into a company computer. 

Social engineering occurs for a variety of reasons- it could be directed at a specific company or person, it could be a random attack or it could even be part of a game. Whatever it is, you do not want it to put you and your customer’s information at risk. 

The reason why social engineering is successful is because the engineer uses techniques that will make you trust them. They make up elaborate stories or personas that you would have no reason to not believe. Then, through what seems like polite conversation, they will have you relinquish sensitive information that can put you or your company at risk of identity theft or a data breach. 


The following is a transcription of a part of the conversation between me and who I believe to be a (beginner) social engineer:

Earlier this week, I got a call from a man claiming to be from “Social Alliance Vancouver” telling me my business has won the “Best New Business in Vancouver” award. He continued on saying that my business would be featured on Facebook, Twitter and Google which would bring me a lot of business.

I told him that we were quite capable of posting Tweets on our own, but thank you kindly.

Alas, he continued, “what type of services does your business provide mam?”

I respond, “well, seeing as how you awarded my organization the prestigious award of ‘Best New Business’, don’t you already know?”

“Yes, of course! You install security alarm systems.”

“Affirmative. We are the Canadian Identity Theft (and security alarm system) Support Centre. Sounds about right. Now tell me about yourself, sir… are you in need of a new alarm system?”

He then hung up on me.

This example clearly shows an inexperienced social engineer, who with a little bit of questioning was turned off track. Most of the time, these people will give up as soon as you present any resistance because it really is not worth their time to follow through. However, if it is a targeted attack on your business, the engineer will most likely be a lot more deceptive, charming and ready to tell you anything to get you to relinquish the information he or she wants.

What information do social engineers want?
Social engineers want as much information they can get about your business, and the more you give them, the more they will ask for.

They usually begin with friendly chatting, keeping up a light conversation to put you (or your employees) at ease. They will then ask questions such as, “can you verify your address, I see you are located on Broadway in Vancouver?” At which time, your trusting employee will correct the misinformation and ultimately divulge the correct address.

Eventually, they will steer the conversation towards getting information. They may direct you to a website and get you to download a (most likely malicious) file, or ask you directly what they want to know.

The information they may want could include: computer passwords, full names of employees, SIN numbers, salaries or anything related to wages, account numbers , among many of pieces of sensitive information.

Preventing Social Engineering from putting your business at risk

If you are concerned about social engineers defrauding your business, consider the following advice:
  • Train all staff members (especially those answering emails and phones) on what social engineering is, what people may ask and how to tell if a social engineer is on the other line.
  • Determine what information is okay to be released to the public, ie: will you be publishing your address, name of employees and salary information?
  • Create an action plan for dealing with data breaches. Sometimes these breaches are difficult to prevent, so it is better to be prepared just in case.
  • Inform employees on the distinction between being helpful and overly helpful. The main way social engineers are successful is to prey on someone’s trusting nature.
If you would like assistance training your employees on how to avoid data breaches through social engineering, contact CITSC to sign up for an informational seminar.

Friday 10 August 2012

Criminal Identity Theft and its Newest Victim



Last July, Spanish tourist Hugo Alejandre was enjoying his lunch in a New York park when he was brutally attacked by a man with a hammer. When arrested, the man told police his name was John C. Yoos, and naturally the police believed him. 

Unfortunately for the real John C. Yoos, the man was lying. It was not until a friend jokingly pointed out that a man with the exact same name had been arrested in New York for this barbaric crime. Curious, Yoos looked into what had happened and discovered the perpetrator was a man he had briefly met 10 years prior. It was then that he discovered he is a victim of identity theft. 

This case of identity theft, referred to as criminal identity theft, is one of many across Canada. Criminal identity theft occurs when a fraudster obtains a victim’s personal information and uses it for the purpose of avoiding an arrest or fines. This can result in false arrest, arrest warrants and a criminal record that can go undiscovered for years. 

Chances are for Yoos that the identity theft did not start and end with that blow of a hammer last July. As Yoos recalls, the last time he saw the attacker was about 10 years ago, which is when the identity theft would have originated. Within that time, it is quite possible that the offender lead his entire life from that point on under the name of John C. Yoos- he could have gotten a mortgage, attended school, signed fraudulent cheques and collected government assistance. Incidences such as these largely go unnoticed until there is a reason to check your credit report, or if in the rare case something like this happens and is broadcasted across the media.

Had the real John C. Yoos not discovered that his identity had been stolen and used by someone else to evade arrest, the situation could have ended completely differently. As the offender was in the process of being sentenced under a false name, that record would be attached to Yoos' name. Had he not been notified about the incident from a friend, a warrant could have been put out for his arrest. He could have missed out on job opportunities after failing to pass criminal record checks, or been arrested when stopped for a minor traffic violation. 

Fortunately, Yoos had discovered this incident had taken place just in time, and with enough media attention that clearing his name should be relatively easy. 

As time goes on, it becomes increasingly difficult to prove innocence. Victims of identity theft experience frustration when it comes to proving to creditors, banks and police officers that they are actually the victim, not the perpetrator. When it comes to identity theft, there is an attitude of guilty until proven innocent. 

Criminal identity theft is devastating for its victims. Although it is less common than financial forms of identity theft, it is very much a reality in Canada. Often, criminal identity theft is linked to organized crime with links to other criminal activities such as drug trafficking and gang violence. These criminals use the identities of others in order to continue their crimes and avoid arrest, often with the aliases of numerous innocent people. 

For John C. Yoos, there is a long road ahead of him undoing the damages caused by the perpetrator. As a Case Manager who has worked with numerous victims of criminal identity theft, I can honestly say that that it will take a lot of phone calls, faxes, and possibly court visits to clear his name and ensure that no further damage is done. 


‘Criminal Identity Theft and its Newest Victim’ was written by Heather. Heather is a Case Manager at the Canadian Identity Theft Support Centre.

Wednesday 1 August 2012

Olympic Fever amongst Fraudsters



With only a few days into the Olympics, scammers, thieves and fraudsters are already on the prowl for a chance at some silver.

While this is not the first time that thieves have used the games to make money, the increased social media focus of London 2012 presents new challenges for security by creating a platform for thieves to dive into. 

Highly televised sporting events including the World Cup and the Olympics are a constant target for the 419 scam, or some variant of the advance fee fraud wherein the scammer requests a sum of cash up front with the promise of a huge monetary gain. Usually, the scammer will claim that the victim has one a lottery held by the Olympic Committee. Chances are that that email recipient did not even enter a lottery 

London 2012 spam emails can come in many forms with some more convincing than others. While I normally pride myself in being able to detect a would-be ‘phisherman’ from a mile away, some of the scams I’ve analysed have caused me to take a second glance (maybe I really did win that date with the US men’s beach volleyball team…).  

The scammer at the other end of the email can be quite deceptive; his livelihood relies on tricking people after all. Often, the email will contain either a link to a fraudulent website or an executable file for you to download. Either of these options can put your computer at risk of getting a virus, and ultimately puts you at risk of identity theft. 

Unfortunately Olympic scams are not limited to the cyber world. There have been numerous reports of fake ticket sales, which leave fans out of money and disappointed about missing the game. So for those enviable people enjoying the Olympic Games, stay cautious and remember that if it looks too good to be true, it probably is. 

Whether you are one of the few lucky Canadians sitting in an Olympic stadium in London or are simply viewing the games from home, remember that there are always people out there willing to ruin a good time for the chance at making a profit. If you come across anything that you think may be a scam, look closely for anything suspicious, Google the company’s name and if you really want to be sure- call our hotline at 1-866-436-5461 and I’ll guide you through how to tell if it’s real or not.