It’s not just mega corporations like MGM Grand Entertainment that get targeted by social engineering attacks. In fact, it happens millions of times every year to individuals young and old, rich and poor, well-educated and not. It always starts innocently with an absolute stranger reaching out to make a connection with someone they say they find attractive, intelligent, successful, etc. And it doesn’t take long before what is innocent becomes horrific.
A few years ago, we received a call from the owner of a small business in California who had been caught in a sextortion trap. A former semi-professional athlete he often surfed social media for fitness tips. One Instagram influencer, young, female and based in Florida, asked to connect with him. The conversation started out innocently and focused on stretching techniques. She sent pictures of her stretching out in two-piece bathing suits.
The first warning sign he missed was all the photos she posted never showed her face, but ignoring that he responded when she messaged him on the platform. That was the second missed warning sign. As Robin Williams once said, “God gave men two heads and only enough blood to run one of them.”
Baiting the hook
One day he initiated a conversation asking, simply, “How are you?”
She replied that she had been having financial difficulty and was $50 short of making her rent. He offered to send the money to her. She was very grateful and in thanks sent a few more “special” pictures. Somehow it occurred to him that this might not be on the up and up and he decided to stop responding. That was the smart move. What happened next was not.
The scammer messaged him again and asked why he had stopped talking to her or visiting her page. He explained that it wasn’t appropriate to continue. She responded with even more salacious photos and a demand for $500. He refused but she insisted.
You are not James Bond
Realizing he was taking with a scammer he decided he was going to catch whoever this was. So he sent the cash and began a series of text exchanges about how beautiful and sexy she was. She responded in kind. He thought now he had the evidence and confronted her with it.
She responded that now she wanted $5000. She showed that she not only had his wife’s email address, but his children’s as well. She had hacked into his business’s server and downloaded his banking information statements and client contact information. She sent screenshots of the “sexting” messages between them and threatened to send them to his family and the customers.
Swallowing the hook
Now he panicked, but before he responded he called us at Cyber Protection Magazine and asked if anything could be done. We immediately put him in touch with the cybercrime unit in his city’s police department (one of the few in the country) and they dispatched an officer to his home to take the full report and provide advice.
In the end, he didn’t pay the $5000. He turned over all conversations with the scammer to the police, canceled all his social media accounts, and made requests to expunge his data. He came clean to his family. He met with each customer individually, explaining what happened, and hired a digital forensics company to find any data exfiltration.
He still has his business and family and was out less than $1000 including what he had paid to the scammer.
Learning the lesson
Besides missing the warning signs, his biggest mistake was believing that he had the skill to take the scammer down. The second biggest mistake was believing the scammer had any real power over him in the first place. He learned that the potential loss of his career, reputation, and family was less likely than that the scammer was actually a beautiful woman who found him attractive.
The core of any social engineering attack is maintaining an illusion of power over the victim. Our aversion to embarrassment is a powerful tool, but in the end novelist David Foster Wallace said it best. “You will become way less concerned with what other people think of you when you realize how seldom they do.”
It is less likely you will develop a friendship over social media than you will in real life. Social media is not a singles bar. It is not a gym. It is not a church. It is a means of advertising for big corporations and for the nefarious among us to commit fraud and other crimes. Yes, you can catch up with old friends, and connect with people you have met in the real world through social and business engagements. But every stranger you come upon in the digital world is to be viewed with suspicion. It is sad, but it is a fact of life.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.
Pingback: Special Report: Social Engineering and the MGM Grand - Cyber Protection Magazine