Dangerous Hybrid: “Psychological” Cyber Crime

Sophisticated cyber-engineering skills are not required. At work here is a new iteration of an old archetype, the con artist who “cajoles, flatters, feigns ignorance and fakes compassion,” in order to break down the resistance of the chosen victim. This post from Built In traces the origin of this phenomenon to the exploits of the legendary Kevin Mitnick, who it says, back in 1992, simply persuaded someone at Motorola to turn over the source code for its revolutionary flip phone. That episode, says the writer, “demonstrates that falling prey to social engineering has less to do with inadequate technological defense measures and more to do with the human mind.” (This truism may have important insurance coverage implications, as in a recent case involving a $600,000 spear phishing attack.)

A social engineering attack is a long-term project, typically involving extensive background research. While the key is getting the target’s confidence, the means varies, but typically involves exploiting such perennial human traits as respect for authority or desire to help others who are in trouble. Goals range from routing money to an untraceable account to the acquisition of personal information, such as passwords, credit card numbers, or other customer information.

This post goes into more detail about a number of sub-categories of the social engineering scam, including “baiting,” “diversion theft,” “honeytrap,” “pretexting,” and “deepfakes.”

How does one protect against these attacks? Basically there are two strategies, says one expert. One is technical, involving “physical fail-safes” like multi-factor authentication. The other is mental. Basically, it’s “Learn not to trust.” Warning for the future: Everything that has worked for online social-engineering scammers so far is likely to get a lot better with AI.