(NEXSTAR) – The Federal Bureau of Investigations on Friday issued an alert concerning Scattered Spider, a cybercriminal organization currently targeting the airline industry. The group, which is also said to be behind cyberattacks on multiple Las Vegas casinos in 2023, is said to rely heavily on “social engineering” techniques for its attacks, a tactic used to gain trust with victims.
“In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems,” the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) explains of these types of scams. Attackers may then use that information to pose as a trusted figure working at, or with, the victim’s company in order to gain access, CISA says.
Specific examples of Scattered Spider’s social engineering tactics include “impersonating employees or contractors to deceive IT help desks into granting access,” or “convincing help desk services to add unauthorized [multi-factor identification] devices to compromised accounts,” according to the FBI.
But social engineering can take many forms — and target everyday individuals, rather than just corporations.
“Typically, the elderly are the most vulnerable to social engineering, but they’re not the only victims,” said John Young, a cybersecurity expert and the COO of encryption company Quantum eMotion America. “Lonely people fall prey to romance scams; those who want instant gratification are vulnerable to get-rich-quick ploys; and otherwise savvy people who have a fear of missing out can get taken by investment scams.”
These types of attacks are also incredibly common. Scammers often contact potential victims through emails and texts (aka phishing and smishing scams) or sometimes over the phone, perhaps posing as a bank or an e-commerce company, and asking the victim to verify their personal information or account passwords.
Joseph Steinberg, a cybersecurity expert and the author of “Cybersecurity for Dummies,” says these attacks exploit a weakness in the human brain.
“We’re not wired to perceive threats from far away. … To survive, for most of history, we didn’t have to worry about threats from someone invisible, 3,000 miles away,” Steinberg told Nexstar.
“But people have a tendency to trust technology more than other people,” he added. “If I walk up to you in the street, and I told you your banker told me you need to reset your password, you’d never trust me. But if you get an email from what looks like [a bank]? That could be different.”
It’s also getting harder and harder to differentiate social engineering attacks from legitimate interactions. Artificial intelligence has made it easier for hackers to both gather information on targets and carry out the attacks, as noted by the cybersecurity teams at such organizations as CrowdStrike, IBM and Yale University.
AI can even make it possible for bad actors to create deepfakes (i.e., synthetic photos, video or audio clips that appear nearly indistinguishable from authentic ones) to try and trick victims. Steinberg says he’s seen this tactic demonstrated over the phone, with scammers using deepfake audio to mimic the voice of a victim’s loved one asking for money or sensitive information.
“Every time I’ve seen it demonstrated it works,” he said. “The AIs are that good.”
CISA offers a number of tips for preventing the likelihood of becoming a victim of social engineering attacks, including limiting the amount of personal information you share online, or contacting a bank/company directly (using a phone number provided by the company’s official channels) after getting a suspicious email or text, to verify its authenticity.
Now that AI is in the mix, Steinberg also suggests coming up with a plan to verify the identity of their own family members — and most importantly their children — if they get a suspicious call from a person claiming to be a loved one.
“I’m … going to ask them some piece of information that only my child would know,” Steinberg said.
By understanding these tools, the likelihood of becoming a victim is at least minimized, if never completely eliminated.
“The most important thing is to internalize the fact that you’re a target,” Steinberg said. “If you believe that people may be trying to scam you, you just behave differently.”
Young, too, said a skeptical mindset is especially helpful for the vulnerable populations to adopt.
“I teach volunteer classes for AARP to older citizens, and when I explain that in the old days scammers were known as con artists, something clicks for them,” he said. “It’s true; the scammers of today are just another name for con artists who have been using persuasion and their social engineering skills since the beginning of time.”
