Three Types of Social Engineering That Keep Coming after Retailers

(This article originally appeared in Loss Prevention Magazine)

When you think of hacking, breaches, or cyber security, what do you think of? Probably software or technology. We often forget the human side. But humans continue to play a big role. In fact, more than half of breaches and cyber-security events start with a human error or social engineering. Many are a combination of both.

So what exactly is social engineering? It is the manipulation of people into performing actions or divulging confidential information. It is a confidence (con, for short) trick for information gathering, fraud, or system access. And while it is like a con, it differs from a traditional con in that it is often one of many steps in a more complex fraud scheme. Wikipedia says, “While the term social engineering is not directly related to computers, information security, or traditional security professionals, most recently it has become a major part of our industry.” In this article I will review some of the most common types of social engineering and how they occur in retail.

Baiting

Baiting occurs when the social engineer leaves a malware-infected device, such as a USB flash drive or CD, in a common area where it is most likely to be found. Several devices can be left at one time to increase the likelihood of success. Bathrooms, hallways, and mail drops are easy targets for baiting. Humans are curious creatures, especially loss prevention professionals. The intent of the social engineer is that someone will pick up the infected device and plug it into their computer to see what’s on it. That’s when the malware installs itself. A lot of times the USB drive or disk will be labeled “important” or “private.” Once the malware is installed, the social engineer may have access to the computer or whole networks.

One example of baiting in a retail environment is when a social engineer applies for a job, schedules an interview, and meets with HR. After the meeting, he leaves a USB drive on the HR person’s desk. Because of his long commute, he uses the restroom and leaves a second USB drive on the bathroom sink. Then, for good measure, he places one more on a random desk while exiting. What would you do if you found a USB on your desk that was marked “private?” The answer to that question could make the difference between your company finding itself on the front page of the newspaper for all the wrong reasons in a few months or not.

Phishing

Phishing occurs when a social engineer creates fraudulent communications with a target, appearing legitimate and often claiming to be from a trusted or known source. Phishing is one of the more well-known tricks of social engineers and still one of the most successful.

The most common phishing attempts are unexpected urgent emails, usually involving banking, shipment, bill payment, or online accounts. Another common attempt is an email that appears to come from a person of importance, like your boss, your CEO, or a law enforcement official. The intent of phishing is to gain access to accounts, install malicious software, or steal money.

Here is one example of phishing in a retail environment. You receive an email from Jack, your good buddy in IT, and the email says, “Hey bud, can you reset your password? Just click the link below.” You have known Jack for years and often work on projects together. You click the link and reset your password. But the email wasn’t from Jack; it was someone trying to steal your login credentials, and that person has now accessed your HR profile in order to redirect your paycheck to his account. Don’t click on any links. Call the person. Or go directly to the source and reset the password.

Vishing

I have personally seen a lot of vishing in my past retail loss prevention assignments. Vishing is when the social engineer (a criminal, let’s be clear) calls an employee within a company posing as a trusted individual or a representative of a bank, credit card company, IT, or loss prevention. Then the social engineer tries to get information from the person in the business. In more complex examples the social engineer will call several people using the information obtained from each to further the scam. The main purpose of vishing is to get information or to cause someone to act.

Let’s review two real-life examples I have seen in the past. A call comes to a cashier at a register. The caller (a visher) acts as if he works for IT. He asks the cashier if the register is working correctly and claims to see an outage. He then asks the cashier to ring a test transaction to a gift card for $250. Once the test is complete, he asks for the gift card information from the cashier. Once he hangs up, he immediately places a fraudulent online order using that gift card number.

Another example of vishing is when a caller contacts someone in the shoe department and asks for the department manager’s name (say, Mike), the previous department manager (say, Bob), and the store manager’s name (say, Jack) because he wants to write a thank-you note to them. The visher then calls the CEO’s office and says, “I bought two pairs of shoes, and both were damaged. I have spoken to Bob, Mike, and Jack, and no one can help me. All I want is my money back. I left the shoes with Bob several months ago. I paid for them in cash and want a check mailed to me, or have it returned to my debit card today. I am a lawyer/doctor/federal agent/judge.” I have personally heard all of the above. He continues, “If you don’t refund me today, I want to meet with the CEO. I can’t believe I am getting the run-around for $290!” This scam happened to every retailer I have ever worked for. Imagine what happens when the visher calls ten retailers a day, and two give a refund!

These are only three types of social engineering. There are more, but these are the most relevant to retail. You will notice in all of the above scams the risk of being caught is low, and the potential reward is high. The most important ways to prevent falling prey to social engineering are training, awareness, and policy. The more you talk and train, the less likely you are to become a victim.