Social Engineering

A Cautionary Tale of Social Engineering

While it may sound like an innocuous term, Social Engineering is defined as “a technique that uses psychological manipulation, fraud, or dishonesty to force people to disclose private personal or corporate information, or to take a particular action.”

Meet Smartie

An acquaintance (I’ll refer to him as “Smartie”) recently shared with me his encounter with Social Engineering. Smartie is a retired military officer in his mid-70s. He is mentally and physically sharp and healthy. He stays up on technology as best he can, and about a year ago purchased a new computer. Along with the computer, he purchased one year of technical support from the Big Box Store (BBS for short). The BBS has a Cleverly Named Division (CND) that handles the tech support.

Things were rocking along just fine. Smartie used the tech support team from CND a few times, but as he was coming up to the end of his one-year contract he thought he would set up a phone call with CND one last time to check out some minor slowness and the security settings on his computer. On the day he called CND, he immediately heard a busy signal. Slightly irritated, he went back to the email he had just received that reminded him that his one year of tech support was expiring soon. Instead of calling the original number, he tried the other number from the email.

Someone picked up immediately and gave the appropriate greeting. The woman on other end of the phone apologized that they were overwhelmed with calls this morning. Could she kindly have a technician call back within the next 30 minutes? He obliged. Sure enough, as promised, within a few minutes he received a call back from a very astute sounding technician, a.k.a. “Tech Guy.”

The Tech Support Call

Relieved that he was working with someone who sounded exceptionally bright, Smartie proceeded to tell Tech Guy of his concerns. Tech Guy listened patiently. With the utmost professionalism, Tech Guy politely asked Smartie if he could patch-in to his computer using a system familiar to Smartie. Tech Guy just wanted to check a few settings to see if it was something simple. Smartie agreed, impressed with how insightful Tech Guy seemed to have about his concerns. Within a few minutes, Tech Guy found the issue for the recent unexplained slowness. It appears that 14 outsiders had recently accessed his computer—and some of this hacking could be identified with Russian IP addresses.

Tech Guy found other problems as well. There was a special device where a technician from CND would come to his home and run a complete scan on his computer. This would require a $1,500 deposit. The deposit would be completely refundable but was required because it was a very expensive piece of equipment.

Smartie now became suspicious. He had never heard of such a service. Tech Guy assured him this was new, and they were just rolling it out. He also apologized for the deposit and said he would petition to his manager to get it waived. He also offered to let Smartie think about it and call him back when he was ready.

Smartie, feeling like he had become overly suspicious, went ahead and gave him his credit card information for the deposit.

The Social Engineering Scam

However, no sooner did he complete the transaction, than the hair stood on the back of his neck. He quickly asked Tech Guy to cancel the transaction. Tech Guy calmly assured him that he would. Smartie told him to let him think about it over the weekend. Then he quickly hung up the phone, concerned that something was amiss. He immediately called his credit card company and put a fraud alert on his credit card. He explained the entire situation, but still was not sure whether Tech Guy was legitimate or not. The credit card company insisted on replacing his current credit cards and agreed it would not pay the $1,500 (which it turns out, had not yet been cancelled by Tech Guy.)

Then things became surreal. Smartie started receiving emails about purchases of gift cards, including some high-end department stores. Smartie tried logging onto his Amazon account, but the account had been locked down. He was directed to call Amazon, which he did. Amazon first made Smartie answer a litany of security questions. The Amazon operator told him there had been significant activity on his account, and they were forced to shut it down. The operator would not give details as to how the account was flagged, but Smartie realized it was probably the Tech Guy who had used his account to purchase the gift cards.

Smartie paid a visit to BBS and spoke to a manager of the CND. They confirmed there were no employees by the name provided—and they did NOT have equipment where a deposit was required.

Smartie had to admit to himself that he had been a victim. After Googling aspects of his scenario, he confirmed he had been duped by a very sophisticated social engineering scam. It was specifically targeted at senior citizens (who are most likely to purchase a year of tech support.)

Verify the Source

In this case, it was the email regarding the 1-year of tech support that was expiring which was the bait, and Smartie had diverged from working with a legitimate company, to essentially a shadow organization. The moral of the story is to always verify the source. Smartie had correctly used the original phone number. But once he relied on the phone number in his email, he had ceased dealing with a legitimate company.

In this case, the adage “a stitch in time saves nine” was true. Smartie acted quickly in contacting his credit card company, and Amazon obviously had controls in place that shut down the suspicious activity. Hopefully, Smartie’s story will help others. Although he is quite embarrassed about what happened, Smartie believes he is a perfect example of how easy it is to fall into a social engineering trap.

Kristina Bolhouse, CPA/PFS, CFP®

Vice President/Shareholder

© 2021 The Arkansas Financial Group, Inc., All rights reserved.

Please remember that past performance may not be indicative of future results. Different types of investments involve varying degrees of risk, and there can be no assurance that the future performance of any specific investment, investment strategy, or product (including the investments and/or investment strategies recommended or undertaken by The Arkansas Financial Group, Inc. [“AFG]), or any non-investment related content, made reference to directly or indirectly in this commentary will be profitable, equal any corresponding indicated historical performance level(s), be suitable for your portfolio or individual situation, or prove successful. Due to various factors, including changing market conditions and/or applicable laws, the content may no longer be reflective of current opinions or positions. Moreover, you should not assume that any discussion or information contained in this commentary serves as the receipt of, or as a substitute for, personalized investment advice from AFG. AFG is neither a law firm, nor a certified public accounting firm, and no portion of the commentary content should be construed as legal or accounting advice. A copy of the AFG’s current written disclosure Brochure discussing our advisory services and fees continues to remain available upon request or at www.arfinancial.com.

Please Remember: If you are a AFG client, please contact AFG, in writing, if there are any changes in your personal/financial situation or investment objectives for the purpose of reviewing/evaluating/revising our previous recommendations and/or services, or if you would like to impose, add, or to modify any reasonable restrictions to our investment advisory services. Unless, and until, you notify us, in writing, to the contrary, we shall continue to provide services as we do currently. Please Also Remember to advise us if you have not been receiving account statements (at least quarterly) from the account custodian.