Beware of social engineers

Cyber security awareness month starts today, and a conversation with a friend this morning provided me a timely anecdote.

I messaged my friend on WhatsApp and asked for confirmation of address - I wanted to post something to his house. My opening message was a greeting and a comment that that his WhatsApp security code had changed.

WhatsApp tells you when someone's security code changes, which can be due to an app re-install (e.g. new phone). Bizarrely many people don't notice these.

Once he'd confirmed his address, I asked "presumably Mrs Friend also lives there?".

Next I got a voice call. My friend thought the interaction was weird and wanted to verify my identity. This was a sensible move, and I was not offended - anything but! My friend wondered if my phone had been compromised, and wanted to double check.

Why would it matter?

Obviously if my phone had been compromised then all our previous chats could have been exposed. There's nothing massively exciting there (no offence friend!), but we do have a history of speaking. An attacker could abuse the trust between my friend and I by pretending to me, and then conducting some social engineering.

Social what now?

Social engineering is a technique used by security testers, con artists, and thieves when trying to gain sensitive information about you or your organisation that you wouldn't usually give to a stranger. By building trust, or exploiting trust that already exists, the social engineer can often find out things that they shouldn't know.

How can I protect myself?

My daughter tells me I have trust issues, whereas I just consider that I have a healthy amount of scepticism. When someone's speaking to you, especially if they're applying a sense of urgency, find a way to slow them down. For example, if you get a call from your bank claiming that your debit card has been defrauded that's certainly something you'll want to deal with quickly. An attacker making that phone call might ask you to verify your card number, expiry date, address, CV2 number. Instead of continuing the call, phone the bank back from a known good number. Debit and credit cards often have the correct number to call on the back.

Social engineering works because the other person can convince you to trust them. Your best defence is to take control and to move the conversation to a trusted state. Verify who you're talking to, and the situation, before proceeding.

What if my CEO contacts me?

I've been there. In a previous job, the CEO of the company sent me a message on the Slack messaging system. He was asking for a password reset to his Microsoft 365 account, and as I was responsible for IT he reached out to me.

There's a number of red flags here:

🚩 Unexpected request for a password reset.
🚩 Unexpected contact from the CEO, who I didn't speak to often.
🚩 Seniority of the caller is greater than mine.
🚩 Social pressure that delaying or inconveniencing the CEO could be bad for my career.
🚩 ...

Fortunately I had met the CEO before, and he was a reasonable chap. The best move to ensure all was above board was a Facetime video call. I called a number that I'd validated from other systems (i.e. the Slack message didn't give me the number), saw our CEO, and we had a chat. I explained why I was calling, and he was pleased that I had taken the steps to check he really did need a password reset.

He did.

The password was reset, and we went about our days.

Empower your staff!

I was only able to do what I did because I felt my employer supported my actions. It was highly unlikely that I'd suffer any negative consequences. Making sure your staff know they can do similar, checking that a request is genuine, is a crucial part of defending against social engineering attacks.

My company can help

I don't want to turn every blog post into a marketing exercise, so rest assured that's not going to happen!

That said, I'm still very much growing my company at the moment, so if your organisation would like some training or procedures for handling social engineering attacks I'd be happy to help. Reach out to me via our contact form, email me at jonathan@jonco-it.co.uk, or check for more details on our website: www,jonco-it.co.uk.

Happy cyber security awareness month!

(For those curious, I wanted to send my friend's wife, a fellow stationery lover, a pen. I also know couples who live apart, so my questions weren't entirely crazy!)


Banner image: Something I and Microsoft Copilot threw together to act as a banner for my cyber security awareness month posts.