by Constantine von Hoffman

How Long Until You Fall for a Social-Engineering Attack?

Sep 27, 20113 mins
Data and Information SecurityPhishingSecurity

These attacks are on the rise. They are also getting more effective by using ever more specific information about their victims.

The social-engineering attack someone tried on me last week was pretty crude – to me. It was probably effective on someone else. That’s what has me worried.


This one was a phone call but it could have just as easily been an email or a website. The recorded voice said, “We’re calling from XXXX Bank with security concerns about your XXXX card. Please push 1 for more information.” I hung up and found out later from an article in the local newspaper that the next step would have been asking me to enter account information and all that other stuff I don’t want anyone to have.

This was the first brush, that I’m aware of, with a social engineering attack but I’m clearly one of the lucky ones. According to a new study, 48 percent of businesses surveyed had been victims of social engineering and had experienced 25 or more attacks in the past two years. The report, by security firm Check Point Software Technologies, said successful attacks cost victims an average of $25,000 – $100,000 per incident.

[Also see Social engineering: The basics]

The thing that got me to hang up immediately was that I’m not a customer of that bank nor do I happen to have the card they were asking about. Only later did I remember my father-in-law telling me he had gotten a similar call the week before. If I’d had been a customer of that bank, would I have remembered that or would I have fallen for it?

The fact that it was a phone call was also working against the crooks in this case. It is hard to make a phone call look or sound official. That’s almost certainly why the most common attack vectors for these attacks are phishing emails (47 percent of incidents, according to the study) and social networking sites (39 percent).

We know the criminals were using a fairly generic set of phone numbers because it hit me, someone outside of their target audience. But that was a matter of dumb luck or dumb crooks. Pinpointing the right group is no harder for them than it is for an online marketer. Just as with the marketers, the more specific information these people use the more likely they are to “make their sale.”

 [Also see 9 dirty tricks: Social engineer’s favorite pick-up lines]

Now I know that I pay more attention to security stuff than your average bear. So it’s pretty hard to get me to cough up info doing something like this – I hope. This has me wondering how much information would someone have to have for me to believe them? Whatever that amount is (and I do check all requests any which way I can) it is far more than it would take to gull most people.

For a long time I’ve worried about my elderly parents falling for something like this (though clearly my father-in-law is doing OK). I’ve talked to them about assuming any email or call is a con and only giving information if they can verify the request through another channel. And how to find that other channel? Now I think I need to have that talk with a lot of other people, including a reminder talk with myself.

But how do you do it with an entire organization? It’s hard enough getting them to even use a strong password.