Protect Your Assets

Neal B. Custer: Businesses beware — there is no patch for human trust

President of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc. and an adjunct professor at Boise State University.February 19, 2014 

Mitch had given up on the idea of love. At 30, he was successful in many areas of his life: His career was booming, he was in perfect health, and had neither student loans nor credit card debt to worry about. On paper, everything was going great — but this didn’t change the fact that Mitch was lonely. After a difficult breakup with a long-term girlfriend a year earlier, Mitch instead decided to focus on his career and on personal development, justifying it to himself by thinking “dating is a waste of time and I already have none to spare.”

One night, an Internet ad for a popular dating website caught Mitch’s eye. He had seen the ad many times before, but tonight something was different. The idea of online dating intrigued him — after all, it wouldn’t take that much time to set up, and he could communicate with potential dates on his own time.

Within a week, Mitch had casually started chatting with a few people on the site. One in particular stood out prominently: a violinist from Virginia named Holly. Of the people he had talked to, Holly had actually contacted him first, offering a compliment on a picture. Mitch engaged her in a private conversation that night and learned that they had almost everything in common. Their parents were even from the same parts of Washington.

He was enamored. After a week of messaging, Mitch couldn’t concentrate on anything but Holly. She was charming, intelligent and so incredibly witty. Her passion for life reminded Mitch of how good it felt to actually be in a relationship.

On Sunday, when Mitch logged onto his profile, he was met with a message from Holly’s account — but it hadn’t been written by Holly. The message was from her mother, who said Holly was in critical condition in the hospital. She had gone for a walk the night before and had been hit in a crosswalk by a drunken driver.

The message also asked a favor of Mitch: “I hate to put you in such a position, but I don’t have any money. She always talks about what a kind and generous person you are. Is there any way you could loan us a little money, maybe $5,000, to help us with these medical expenses?”

In a horror movie, this would be the part where you start shouting at your screen: “Don’t go in there, you moron!” But Mitch went there, rushing down within the hour to make a funds transfer via Western Union transfer (it would be the fastest way of moving the money because of the emergency, according to the mother).

$5,000 poorer, he never heard from “Holly” or her mother again.

There is a saying in the information security world: “There is no patch for human trust.” What happened to Mitch was not the result of a keylogger stealing his password. It was social engineering — the manipulation of a person’s natural tendency to trust in order to deceive.

Ask yourself: What would you do if you checked your email and received a message from a complete stranger asking you for $5,000? Most of us wouldn’t even open the email. But what if it appeared to have come from your mother or father? You’d probably still be suspicious, but you’d be far more likely to open the email.

This is the core of social engineering — building trust where trust should not be. Every message sent between Mitch and Holly solidified the belief that she was not only a real person but one he actually cared about, that she had the same values as he did, and given time could even love.

When people are emotionally invested in a situation, they are far less likely to see it objectively. During those two weeks, Holly was likely sending messages to hundreds of other guys on the dating website, building rapport and likely making off with a lot more than $5,000.

Business owners need to know that social engineering attacks happen to employees of every business of every size. Sometimes they are direct attempts to gain access to a company network. An official-looking email arrives from IT with a link to a website for a required security briefing, and employees are asked to type in their password to continue. The employees trust IT and have no reason to suspect that this is not IT.

While social engineering can happen in person or over the phone, the written word is the battleground for most of these attacks. It provides a shield to the author’s identity, a detail that can only be inferred contextually. Who is writing this article? The author is listed as “Neal Custer” and likely has my picture, so from the context you place your trust in the fact that I am the author. If this article was actually ghostwritten by a freelancer or one of my staff, you’d be none the wiser. Someone can just as easily pose as a manager, IT person or security staff and exploit the trust of your employees.

Education and verification are the only useful weapons against social engineering. If employees don’t know what it is, they won’t recognize it when they see it, so provide security training. Furthermore, before acting on any suspicious situation, check your facts. Did an email arrive from IT with a link, even though IT has stated that it would never ask for your password? Check with IT. Is your online romance asking for money? Do a background check. Is your mother trapped in a foreign country and seeking money to escape? Call her.

Ronald Reagan said it best: “Trust, but verify.”

Written in collaboration with information security expert Dylan Evans, Reveal’s vice president of operations.

Idaho Statesman is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service