Reverse Social Engineering

Elicitation, Persuasion, Interrogation and Dumpster Diving. Learn these social engineering tecniques to protect yourself from those trying them on you.

Both in the European Union and the United States, every year in October, the “Cybersecurity Month” is observed. During this time, through events promoted by authorities and awareness campaigns, there is an effort to raise attention to various topics related to information security.

This year, the focus of the awareness campaigns is the phenomenon known as “social engineering,” a real scourge through which the cybercrime industry generates substantial profits.

Before continuing, leave a like!

Social engineering refers to all psychological and technological techniques aimed at deceiving people and convincing them to disclose confidential information or perform actions they normally wouldn’t. The most well-known and basic (yet very effective) social engineering tactic is phishing, which you’ve surely heard of.

Social engineering is highly profitable because the real dirty work is done by the victim, who not only harms themselves but often becomes an internal attack vector within their own company. As a professional in the field, I assure you that there are many cases where an employee in administration has been persuaded to send transfers (even in the hundreds of thousands of euros) to fake accounts belonging to cybercriminals.

It’s a mistake to think that social engineering is something extremely complex or rare. Basic activities like phishing are now highly automated and operate on an industrial scale thanks to generative artificial intelligence. Billions of emails, SMS, and phone calls are sent each year by automated systems with the sole purpose of leading someone to make a mistake. The scale logic makes the activity extremely lucrative and, all things considered, less risky than more complex and specific hacking operations.

As we will see, however, social engineering can be much more than just phishing and far more sophisticated.

The Case of Evaldas Rimasauskas

A humorous case of social engineering, albeit one that ended badly (due to greed), is that of Evaldas Rimasauskas, a man who managed to steal $122 million from Google and Facebook over a couple of years through social engineering.

Rimasauskas first created the right context, with a credible identity, fake documents, contracts, and invoices. Then, he falsified the emails of some corporate executives (spoofing) to request large payments over two years for non-existent supply services from these two companies.

Rimasauskas exploited the good faith and lack of internal controls to make people trust him and send payments without any problems. After all, it’s well-known that in companies this large, there aren’t many checks for payments below certain amounts, and it’s quite easy for periodic payments to be made without being contested for a long time.

Rimasauskas was eventually discovered and arrested, and he now faces up to 30 years in prison, but I’m fairly sure that if he had been smarter and less greedy, no one would have ever noticed.

This case clearly shows how even the largest and most secure companies can be vulnerable to social engineering techniques, which don’t always require complex technological attacks but simply the ability to manipulate people's trust. And if it applies to Google and Facebook, imagine the countless small businesses that populate our countries...

Wolf of Wall Street

Another interesting case is that of Jordan Belfort — the real-life protagonist of the Hollywood dramatized story in the film “Wolf of Wall Street.” Belfort managed to manipulate countless people into investing large sums of money in stocks with no real value, enriching himself tremendously.

In this case, social engineering did not involve manipulating company employees to gain access to confidential information or illicitly receive funds but rather investors. Belfort and his team used advanced persuasion techniques, exploiting people's greed to convince them to make investments that ultimately led them to lose money.

Reverse Social Engineering

At this point, the usual online awareness guides would try to explain how to defend against the most common attacks, such as phishing. I will do that too, but first, I want to focus on something much more interesting, delving into social engineering methods. As we proceed, we’ll explore the various psychological techniques that can be used to execute such an attack, borrowing some documentation from the FBI as well.

I don’t intend to encourage anyone to commit criminal acts, but I believe that understanding these techniques is the best way to learn to recognize them and protect yourself.