Social engineering is a tactic hackers use to gain access to data. There are human based social engineering tactics such as using charm and people skills to gain trust from employees and there are technical based social engineering tactics such as phishing to gain access to organizational data.
The social engineering scenario I am writing about occurred in 2007. The victim was ABN Amro Bank. The perpetrator used his charm and good looks to win the trust of the employees working at the bank. He visited the bank often. He brought gifts to the employees. He used a fake name and over the course of a year gained employee trust. They felt like they knew him, although they knew nothing about him. During this year, during small talk, he was able to find out where the diamonds were kept. Later, he was given keys to the area. He was able to get into the area where the safety deposit boxes are and steal 120,000 carats worth of diamonds.
The bank had security features in place. Like the article stated, “You can have all the safety and security you want, but if someone uses their charm to mislead people it won’t help.” (Brussels, S., (2017). Additional measures the bank could have taken include training employees for situations like this, to be aware that these types of individuals exist. They definitely should never have given him keys to anything.
This attacker didn’t wear a ski mask and brandish a gun, he didn’t go through ceiling in the dark of night. He walked in for a year and spoke to the employees. To protect yourself and organization from social engineering, always remain skeptical without being too skeptical. Remain open minded. Never give out personal information. We are taught to be nice to people, be trusting. Working at the bank, you don’t want to be rude to the customers. Even if you feel comfortable with the person, they should never be given the level of trust as an employee, no matter how nice they are and how much you feel like you know them. Personal and confidential information should never be shared with anyone who is not an employee. Sometimes, even if they are employees, they might not have the same level of security clearance to access certain information. Always be aware and conscience of what you are saying to people.
This was a human based social engineering attack, I had a hard time deciding if I should write about this case because it was not a technical case of social engineering. But I also wanted to remind myself and others that it is not always a technical engineering attack. They may call on the phone and pretend to be someone else or many other ways that they may gain the trust of the employee with only one intention in mind and that is to get what it is they want. This attacker visited for a year bringing gifts. He was charming, as humans, the employees felt like they knew him. They felt like he was trustworthy. He was a nice guy. And ultimately, he was a conman.
Brussels, S. (2017). Thief woos bank staff with chocolates – then steals diamonds worth. [online] The Independent. Available at: https://www.independent.co.uk/news/world/europe/thief-woos-bank-staff-with-chocolates-then-steals-diamonds-worth-16314m-5332414.html [Accessed 9 Nov. 2017].