II am sitting in a meeting room in Cambridge when a photo of a cat in a puzzle box appears on the whiteboard. “Is this your cat? Asks anti-fraud expert Steve Goddard. I agree. “Is his name Chester?” I nod my head again.
And so begins a whirlwind tour of my online life. My joy at seeing my cat’s protest against my puzzle addiction slowly turns to unease at the overall picture that Goddard, who works for a company called Featurespace that detects and prevents scams, has pieced together.
Within five minutes, I find out that the details of my school lunch activities are available if you know where to look, that I take many more flower photos than I thought I would, and that I gifted the children. crooks enough information for them to have a chance to wind me up.
These snippets are tools that Goddard says a scammer could use as a jumping-off point to âsociallyâ me – someone could use them to gain my trust and manipulate me into passing on details that they could then deploy in. a scam. âIt starts to disarm you because you think ‘no one will ever know’ and you think ‘I have to know them,’ he said.
Goddard shows me a tweet in which I express my despair over a delivery company that can’t find my house, and suggests that it would have been easy for someone to impersonate the courier and pull the best of me. Or, he suggests, “If I wanted to engineer you socially, I could pretend to be a student from your old school who wanted to get into journalism.”
It’s true. It wouldn’t occur to me that the person was a con artist because I had no idea that all of this information was available. And with my guard down, I could start giving out information that could be used to part with my money.
In the first half of this year, Â£ 355million was lost in the UK due to authorized push payment fraud, where people transferred money to crooks’ accounts. Some of these crimes started with fraudsters socially manipulating victims they had met on dating sites. Others with people contacted by someone claiming to be in the fraud department of a bank and manipulating them that way.
“Criminals are increasingly evading advanced security systems in banks through social engineering scams that directly target people and trick them into giving away their money and personal or financial information,” says UK Finance, l professional banking association. Identity theft scams, where a criminal calls and claims to be from a trusted organization, such as your bank, are on the increase. “Criminals use information from open sources on the Internet to form a picture of their victim to target,” he adds.
Rory Ines, founder of Cyber ââHelpline, a voluntary organization that supports people who have been scammed, says he sees a large number of victims who have been deceived with social engineering tactics “and it all increases the time”.
I always thought I had been careful enough online – giving up enough on myself to enjoy conversations with people I had never met, while avoiding those games where you reveal the names of your first one. pet, your mother’s maiden name, and all of your bank passwords at the same time. But the demo showed me that there were things I had forgotten and made it clear that the information other people were sharing was added to the picture.
The starting point was Facebook. Because of that and my failure to make my account private, Goddard was able to say, âWe know where you work, we know where you went to school, and we know where you are from. “
From there, through my tweets on Scouting, Goddard had been able to find several of my old addresses. And via old copies of my school’s magazine uploaded to his online archives, he was able to remind me of my success at talking about Welsh rugby and feminism without deviation or hesitation in a sixth form. Just one Minute competetion.
However, my current address is not online – we have chosen not to appear on the open version of the electoral roll. And I turned off geotagging on my photos, so it’s not clear where they were taken. These are two good steps to take.
Steven Murdoch, professor of security engineering at UCL, explains that rather than using Goddard’s in-depth approach to find someone, most criminals will use more basic techniques, such as email. and phishing texts, to get the information they want. âTheir current techniques work very well and make them a lot of money,â he says. “When they target someone [like] the boss of a business, that’s when you start to see more time investment in making social engineering work.
Goddard says it’s impossible to determine how often these techniques are used, and there is no separate category for them in UK Finance statistics.
A few years ago, Cash presented the case of a company that was scammed after a partner responded to an actual tweet from Metro Bank. A scammer who saw the tweet called and pretended to be from Metro and persuaded them to give enough other details to have their account hacked.
“The type of social engineering attack does not tend to spread [up] easily given the time and effort required to be successful, and is therefore most often used by individuals rather than the “call center” approach of criminal enterprises, “Goddard said. âThe trigger for targeting an individual can be targeted or opportunistic, like overhearing a conversation or accessing sensitive or actionable information like a photo or a bank statement. “
Maybe if I was in the newspaper celebrating a lottery win or on social media talking about an inheritance, a scammer might decide it was worth finding a way to earn my trust.
For the Goddard team, understanding what information people give out and how it can be socially manipulated by scammers is an important part of the job of designing systems to stop scams. The company provides banks with software that detects unusual behavior and flags payments that appear to be problematic.
âYou can’t control some of these things, but it’s being aware that it’s there,â Goddard explains.
Murdoch says people will always give details online, and rather than asking customers to change their lifestyles, banks should look at their own systems. But until they make some changes, it seems worth checking out what you can find out about yourself online and removing, or making private, anything that people are unhappy with people seeing. . You can make it harder for criminals by removing some pieces of the puzzle.