Imagine you’re out late one night with your friends enjoying a few drinks. You’re at your neighbourhood pub, and your phone rings. You don’t recognize the number, but when you answer, a genial-sounding gentleman says he got your number from one of your friends - whom he mentions by name. The mysterious caller says he heard from your friend that you love cycling, and he wants to talk to you about a cycling event he’s organizing.
At first, your suspicions aren’t raised, because the caller appears to have the endorsement of your friend. He also knows some fairly personal information about you: your profession, your hobbies, your friends. You hear him talk about this cycling event, and when he asks if he can email you some more information about it, you readily agree. Why not?
But when he says he’s going to send you information about the cycling event in an attachment - a Google Drive link, actually - you begin to have questions.
Why not just put the cycling information in the body of the email? He says it contains private information that he only wants you to see, so he’s set the permission settings to allow just you to access the Google Drive file. When you click on the link, you arrive at what appears to be an authentic Google login page, with a request for your password.
Little do you know, someone somewhere is watching and waiting for you to do just that.
Even though your suspicions have been raised a bit, you take comfort in the knowledge that you have fairly secure online practices: for example, you use two-factor authentication (2FA) to login to your accounts. When you enter your password on the Google Drive login page, you receive a code in the very phone you’re holding in your hand. That seems pretty secure, but when you enter the code on the login screen after your password, you don’t realize that you’ve just granted access to your account to a person watching in real-time elsewhere.
The Google Drive login page is fake, and the supposedly cycling caller has used personal information about you to lure you into entering both your password and the texted code into that malicious login page, while simultaneously using the information you entered to gain access to your actual Google account, and more importantly, to all its sensitive personal information such as your contacts and other private documents.
This is the unsophisticated sophistication of these types of phishing attacks on persons who use two-factor authentication: the technical dimensions of the attack are not all that advanced, but what is advanced is the range and depth of personal information culled from social media and other open sources by attackers, which they then use to mount labour-intensive but highly effective phishing attacks.
Rather than any sophisticated hacking technology, these attacks on two-factor authentication use thoughtful social engineering: attackers collect personal information to psychologically manipulate victims into divulging their passwords and 2FA codes. Targets of attacks are lulled into a sense of security by attackers’ personalized knowledge about them.
The community has developed many trainings for digital security, but there are few practical tools to combat these types of social engineering attacks; as investigators at the Citizen Lab point out, people who have successfully evaded such attacks have done so by staying vigilant, by critically examining and evaluating every request for their personal information. So far, the community of digital security trainers has focused heavily on technical tools to prevent attacks, rather than on the tricks, practices and sensibilities of staying vigilant against social engineering that might be learned from past cases.
What we need going forward is a greater focus on vigilance against social engineering to complement practical tools like 2FA. We need digital training courses and manuals that include case data on phishing attacks that use social engineering, so that users can acquire the mindset necessary to guard against those who gather personal information to manipulate targets into giving up account data.
In an age where the personal is the digital - when so much information about us is readily available online for pernicious use - it’s more important than ever to share and learn from our colleagues’ experiences, so that we can guard against the use of psychological manipulation to gain access to our personal data.