what is social engineering?

What Is Social Engineering In Cyber Security?

This past week I listened to a podcast of a live, recorded social engineering call by a podcaster named Junseth1. The podcast episode was incredible to listen to because of the casual and remorseless tone of the teenage scammer.

The call was a recording of a social engineering fraud attempt by a U.S. based a scammer who described himself as “Daniel” who disclosed that he was a teenage minor living in Los Angeles, California. While the scammer tries to scam Junseth out of his bitcoin, the podcaster exposes the fraudster and engages in a half hour recorded conversation with him.

What Is Social Engineering In Cybersecurity?

Social engineering is the art of influencing, deceiving or manipulating you into doing something that someone else wants you to do. 

The Internet makes social engineering very efficient on both a large, macro scale (societal) and micro scale (individual) level… 

Cyber criminals use social engineering tactics to prey on your emotions.

Social Engineering Example

You receive what seems to be a normal email, phone call or text message that appears to come from a trusted brand name, such as Amazon.comAppleMicrosoftCoinbaseFedExKrakenWalmart, the IRS, etc… The email contains an “important notice” or “time-sensitive” information and a link to click on:

  • Click here to reset your password because of unauthorized access to your account! 
  • A delivery for you has been delayed! Click here to track your package!
  • Click 1 if you think you’re the victim of a hack!
  • Transaction receipt #4439! Click here to download!
  • There’s a warrant for your arrest for back taxes! Click here to speak to an IRS agent!

Fraudsters can use technology to fake or “spoof” email addresses and caller-ID phone numbers to appear as if they’re coming from legitimate companies.

Using urgency and familiar brand names, cyber criminals hope to elicit fear, uncertainty, doubt, anxiety, etc. to get you to take action – such as clicking a link – without thinking. 

  • Reset your password by clicking this link!
  • Track your package here! 
  • Confirm your recent transaction! 
  • Call this phone number to start your IRS payment plan!

However, simply clicking that link means downloading malware, disclosing confidential information (your password or social security number), or performing an action (transferring money) or even automatically draining a cryptocurrency wallet.

Social Engineering Tactics Exposed

The social engineering tactics exposed during the podcast I listened to (snippet from “X” below) used the hallmarks of psychological manipulation and technical deceptions… 

These included a caring, familiar, casual voice and familiar, trusted brand names and the repeated use of your own personal data to reassure you that they are who they claim to be. Unfortunately, the “caring” customer support person is actually a sociopath spoofing Google addresses, phone numbers, and using your personally identifiable and sensitive account data they purchased on the dark web and faked “support” websites that look identical to companies’ actual websites.

One thing that was clear… The fuel that enables these types of fraudulent calls is access to personal data that is publicly available and on the dark web. Cyber criminals can harvest this data, build a dossier of a particular target and craft their call scripts to include private references to information that a target might think only an “authorized” party would have access to.  

The Charlotte Cowles Incident

The podcast reminded me of another social engineering scam that was painstakingly described in February 2024 by a personal finance blogger and journalist named Charlotte Cowles for a publication called “The Cut”… 

Charlotte was the victim of a very sophisticated social engineering attack that leveraged compromised personally identifiable data to fuel her emotions during a prolonged, multiple person social engineering attack.

The first step in the scam was a spoofed call she received from “Amazon Support” to notify her of suspicious activity on accounts she was told were compromised (but that she didn’t really have). 

As Charlotte was transferred from person to person, the apparent threat level escalated with incremental amounts of pressure put on her to continue to cooperate in helping to bring criminals wanted by the CIA to justice… Each time Charlotte’s scammers provided new instructions to follow, it was always with urgency and under the guise of keeping her and her family “safe”.

A Healthy Level Of Paranoia

My top 5 takeaways from listening to the Junseth podcast, and reading the Charlotte Cowles article, were:

  1. Scammers Are Everywhere: I often think of social engineering scammers or ransomware attacks as coming from overseas, such as eastern Europe… However, this scammer was right here in the U.S… He sounded like a polite, but cocky American teenager from California. What also surprised me (probably shouldn’t have) was the delusional and remorseless nature of this kid thinking that it was OK to scam people in this way and that going to prison was an acceptable risk compared to the rewards.
  2. Personal Data Is The Lifeblood Of Cybercrime: We’ve all become numb to our personal information being compromised in data breaches by big companies we “trust”. It happens every day… Unfortunately, social engineering scammers like “Daniel” pay for reams of your personal data on the dark web, or find it publicly, and systematically call, text and email people all day long posing as a company you work with, such as Google Support of Coinbase Customer Care. Don’t let yourself become brainwashed into thinking that your desire for privacy of your data is somehow “bad”… If you are not engaged in criminal activity, you have a right to the privacy of your data. There need to be greater consequences for companies that collect our data and let it be compromised and those people who would use it for criminal purposes. 
  3. AI Is Automating Social Engineering Scams: Artificial intelligence is going to make all of this so much harder to detect and escape. During the Junseth podcast the scammer admitted that if someone doesn’t pick up the phone the first time, they’ll call back, taking turns with other members of the team to repeatedly switch up the voice and re-emphasize the “importance” and “urgency” of the call from customer care. Artificial intelligence tools can duplicate your voice with only a small amount of audio input, so these types of scams will be harder to escape. People have reported receiving fake “kidnapping” calls that mimic the voice of a loved one in distress.
  4. Don’t Tell Anyone: The Charlotte Cowles story describes how the hackers repeatedly told her NOT TO TALK TO ANYONE. The criminals reassured her that this was for her protection and the safety of her family… Being told that you can’t tell anyone about a fishy situation should immediately raise red flags for you.
  5. Inbound Is Unlikely: Companies rarely call you directly… It’s usually the other way around. If you receive an unsolicited call from anyone claiming to be from a trusted company, requesting that you share PII to “verify” your account, or that you do things involving your money or personal assets, you should be very skeptical and contact the authorities directly.

Just because you’re paranoid doesn’t mean they’re not out to get you…

Indeed, when it comes to social engineering in cybersecurity you should maintain a healthy level of paranoia about almost any media you see or hear. Because it can be – and probably is – digitally altered in some way to manipulate you.

Footnotes

  1. The episode was subsequently taken down, but I’m including the original URL is here… You can still find clips of the recording on X (formerly Twitter) if you search for “junseth” and sort by recent or latest. Just a heads up there’s some explicit language in the call.