While there are challenges in the Information age, leaving an airport is not one of them. Less than 25 years ago an unfamiliar airport was one of the most dangerous places a traveler could find themselves in due to a lack of information. People were routinely told horror stories of kidnappings, robberies, and tricks. Street savvy travelers would keep their phones and wallet close and hidden until they found a properly marked taxi which charged ridiculous fees to drive a few miles away from the airport to a hotel. With the advent of the Information Age and all the marvels associated, things have changed. Now valuables are at the ready, phones are out in the open, people take unmarked taxi’s and there are few deviants and tricksters to be found. Which begs the questions, where have all the con men gone?
Simple, The Internet.
The lack of physical con men has made people generally complacent to getting conned on the Internet. Though the similarities between a con and social engineering attack might seem obvious society does not regard them in the same way which contributes to poor awareness and irreverence towards the subject.
Access, Abundance, and Anonymity
Access: The Internet allows access to billions of people for little to no cost. This enables a con man to conduct hundreds if not thousands of cons simultaneously. This makes them far more efficient and lucrative than the one at a time street con that were common just 20 years ago.
Abundance: The Internet provides access to hundreds of freely available repositories of information for a con. While dumpster-diving and cold calls for information on a target are still relevant, social media and public record sites provide more information than previously available, in a fraction of the time with minimal effort or risk of discovery. Furthermore, while looking into people’s windows (trespassing) or casing a business (loitering) might be illegal, searching through public records and social media profiles have zero-to-no legal repercussions.
Anonymity: Anonymity or pseudonymity (assuming someone else’s identity) is the cornerstone of a successful con man. Once a con man is identified their con and freedom is routinely at risk. The Internet provides an ever-increasing number of freely available tools that allow for both anonymity and pseudonymity. ‘Deepfake’ technology allows con men to assume people’s experiences and memories with virtually no way to verify authenticity. SIM cloning, burner phones, temporary emails and proxy chains allow these con men to disappear without a trace once the con is complete; a previously unavailable luxury which has emboldened these con men to commit more brazen and devasting cons.
Social Engineering = A Term For Getting Conned
A social engineering attack is a con. When a social engineering attack is successful against you or your organization you have been conned. When you identify these schemes before they are successful you have seen through the con. 80% of successful cyberattacks and data breaches attribute part of their success to social engineering. The lack of physical con men has made people generally complacent to getting conned on the Internet. Though the similarities between a con and social engineering attack might seem obvious society does not regard them in the same way, which contributes to poor awareness and irreverence towards the subject. Ultimately people must question their bias to the two terms.
Con vs Social Engineering Attack
Con:A word with negative connotation that causes you and others to question your intelligence while causing you great embarrassment. No one likes to be “conned” so people are cautious when they suspect they are being conned.
Social Engineering Attack: A term that denotes a very sophisticated attack that no average person with a baseline understanding of technology would be expected to defend against, and so are treated as a fact of life in the digital age. Regardless of the terms the results are the same and the threat is not diminished.
In truth, there is no solace in being a victim of social engineering vs being conned.
Tell 5 people statement 1 and then tell 5 different people statement 2 and see their reactions.
Statement 1: I was the victim of a digital social engineering attack where someone stole $500 from me.
Statement 2: I was conned out of $500 by some guy on the internet.
There is a high probability that you will receive a better reaction to the social engineering statement than the con statement; that is why organizations like to refer to cons as social engineering attacks. This attempt to minimize damage to reputation has the unintended effect of misrepresenting the seriousness and commonality of the threat. Understanding that this threat is persistent and serious is the only way to maintain vigilance.
Treat the Internet like a 1990s airport in a failed state, filled with con men, thieves and pick pockets. Avoid using public profiles unless they serve a specific purpose in the same way you would hide valuables unless you needed to declare them, or they are in use. Beware of any party approaching you seeking to provide services you didn’t request (similar to how you are advised to hail your own taxi). Avoid unfamiliar or rarely travelled sites like you would avoid dark corners or sparsely populated allies. Do not download any software or click any hyperlinks you did not request just as you wouldn’t carry a bag for a stranger. Know how to identify legitimate online services like you would learn how to ID an official taxi, hotel bus, or police officer. Understand that the Internet is a massive airport to destinations in cyberspace and there is always a con man looking for an easy mark.