Social engineering is a fascinating and diverse attack vector because it exploits human nature and people are generally predictable in their responses. We focus on malicious social engineering, especially when it facilitates cyber attacks upon organisations. However social engineering and its precursor, the good old ‘con’, is alive and kicking out there on the street if you look for it! Here are a couple of examples I witnessed first-hand on a recent trip to Italy.
The Italians are kings of social engineering - I can say this because I am half Italian! They are great at turning on the charm to bypass our defences, and the inhabitants of Naples (Napoli) seem particularly capable.
Napoli has a reputation both in Italy and internationally, and it isn’t a hugely positive one. It is the HQ of the Camorra, one of the largest mafia groups in Italy and by far the most violent. This is in part where Napoli’s notorious reputation comes from, but other things contribute; driving on pavements to avoid traffic lights, pick pockets, and scooter facilitated high jinx with tourists. I love Napoli, the city feels alive like many others do not, but if you visit Napoli you should have your guard up and be alert.
Okay scaremongering over. This article isn’t about all of that. It is about some of the crafty Neapolitan tricks to part unsuspecting tourists with their money. Some of them are masterfully executed but all of them serve up lessons we can all learn both to keep ourselves more secure but also our companies. Here are two of my favourites.
Hustler #1 “The Pompeii Guide”
Napoli is situated at the foot of perhaps one of the most famous volcanoes in the world, Mt Vesuvius. The active volcano last erupted in AD 79 laying waste to everything in its path, including the town of Pompeii - now a popular tourist destination. The easiest way to get there is to take the train from Garibaldi Station, down the coast towards Sorento.
Fresh faced tourists from across the world stream through this station like salmon swimming upstream, pockets bulging with crisp euros. What scammer wouldn’t want to dip a toe?
Enter Giovani (or so we shall name him) a smartly dressed gentleman holding a clipboard in one hand and a pen in the other. He has a brown satchel slung over his shoulder and a badge pinned to his breast embossed with the word "Pompeii". Giovani has his pseudo-tour guide pretext well established.
As unsuspecting tourists filter down onto the platform he approaches them, pen in hand and asks: “are you going to Pompeii?” The tourists, noting his official appearance and all-important clipboard, respond. “yes, we are”. Helpfully and authoritatively he reassures them; “the train to Pompeii will be here in 15 minutes, and comes into this platform on your right” – he gesticulates to the platform they are standing on. “It will be the 7th stop and you want to be in the first 4 carriages for Pompeii”. He then raised his right hand towards the far end of the platform and says “I am asking all my Pompeii groups to gather at the end of the platform to make sure they get on the correct carriages”. He makes some ticking motions with his pen on the clipboard as if he is marking off their arrival, and then asks them for money by holding his hand out.
I watched this spectacle repeat itself more than a dozen times. Every time it worked, every time they obeyed and every time they handed over money. The tourists were generous too, a handful of coins or a 5 or 10 Euro note. One couple came and stood next to me on the platform. They were British. “that was good” one of them said. “Yes, he was very helpful” her partner responded, “I wonder why we don’t have them in England?”. I stood there pretending I didn’t speak English in order to eavesdrop into their conversation. They felt that they had received a good service from Giovani. They were satisfied with the deal they had struck, and they certainly didn’t think they had just been conned! Even though 15 seconds of prepared script by Giovani had cost them more than the 3 Euro 50 cents fare from Naples to Pompeii.
Why did this work?
- He looked the part: The tourists looked at his clipboard and his Pompeii badge and assumed he must be someone from the local tourist office. A classic disguise to get into office buildings is to dress like a cleaner, carry a vacuum cleaner and start “cleaning” the reception area before asking the receptionist to let you into the main building.
- He targeted tourists who looked nervous: He needed to target people who looked unsure of where they were going. People coming onto the platform who were walking purposefully and with their head up and shoulders back were ignored. Every social engineer will know that there are certain people you target and certain people you don’t. The more alert and confident you look, the less appealing you will be to a social engineer!
- He was confident: There was no doubt in his execution. He had confident body language and delivered his opening comment with authority. Human beings are much less likely to challenge someone who is confident and authoritative. In most parts of the world we are taught from a young age to respect authority. Giovani uses this to gain compliance from the tourists. Watch out for this being used in phone-based attacks too.
- He relied on reciprocity: The principle of reciprocity is fascinating to me. It is well established that we, as human beings, feel compelled to return favours. Giovani was helpful to the tourists, he took the time to “do them a favour” and guide them to the right place. He then asked them to return the favour, by paying. This works with physical social engineering attacks too. Let’s say I know that in your office the first external door is unlocked and the second requires a swipe card to open. I walk slightly ahead of you. I will open the first unlocked door and hold it open for you. I let you go through and now you come to the locked door before me. You will likely reciprocate and open the locked door and hold it open for me. The really fascinating thing about reciprocity though is that when you return the favour to someone you will always be left feeling like it was your choice and the right thing to do. As were the tourists on the platform who felt like the exchange was positive.
What you can do
- Look confident: Head up, shoulders back and walk with purpose. It makes you look like you know where you are and where you are going. It also appears like you are aware of what is going on around you so you would be harder to target.
- Beware of people in the office you don’t recognise: If you don’t think someone should be in the office challenge them. If they are there legitimately nobody will be offended.
- Be cautious: Think before accepting gifts or favours from people you don’t know and be aware that you will likely feel obliged to return the favour.
Hustler #2 - The Special “EU Pizza Tax”
I was sat in a restaurant looking out onto the bay of Naples. The sun was shining, and I was enjoying the lunchtime wine and fresh food. There were many tables of tourists in this restaurant owing to the excellent waterfront location. The interactions between the Neapolitan waiting staff and the tourists caught my attention. The staff would bring out a small glass of prosecco to every customer as they sat down. This sets the tone for the meal and is seen as a nice “favour” that will be played upon later. The customer’s order their pizzas and wine, beer or more prosecco. The waiting staff are charming, helpful and spend time joking with the customers. When the time comes for the bill, the waiter first brings out a small taste of cake - “compliments of the chef”- for each customer. How lovely! He then presents them with the bill. As he hands the bill to them he starts talking to them about Napoli, the sites, the weather and Neapolitan life. He points on their tourist maps where they should go and how to get there. How helpful. He uses the same spiel over and over. It starts off lovely and descends into how tough life is in Napoli, unemployment is so high and there are just no opportunities. He is distracting them from what is written on the bill. He then asks for a tip which all the customers oblige. He is easily making 10 Euro per table.
The key to the waiter’s success is his charm, his smile and the “added value” of the information he is dishing out with the bill. Why bother distracting you like this? Well for a start he’d rather that you didn’t notice that the complimentary Prosecco and cake were not quite so complimentary as you might have expected, but that is not all. On the bill there is an additional service charge, labelled as “Service charge (EU Tax)”. When he asks for a tip a few of the customers correctly point out that there is already a service charge on the bill. The waiter responds in a downbeat fashion that this is not really a service charge but a new EU Pizza Tax that get applied on all Pizza orders. He adds that neither he nor the restaurant see a penny from this. This is accepted without question for 100% of the tables. (Just in case you are wondering there is no “EU Pizza Tax” in existence). It is the service charge. In effect you pay the tip twice. You are probably reading this thinking how stupid people are to not see through it. Well there is a reason for that. You haven’t been subjected to his charms, his generosity and his emotionally fuelled honest account of Neapolitan life you are also not there in the sun soaking up a truly beautiful panorama. All these things aide in establishing compliance with his requests.
Why this works
- Reciprocity: The waiter has given you two “gifts” that at the time you believed were free. He has given you helpful advice on what sites to visit and how to navigate the chaotic public transport system. All of this buys some good will and so when he asks for his tip you “return the favour”.
- Social proof: The tourists watch other tourists handing over money for tips and the grateful waiters that receive them. If in doubt human beings look to what other people are doing, and copy that. In a social engineering penetration test it is a useful tool too. Let’s say that I call you up at work and I am asking some questions about a piece of software you use. I might say that when I spoke to a few of your colleagues they were telling me that you were using X, Y and Z and that you were having trouble with your antivirus. This is important because it tells you that your colleagues trusted me enough to talk openly with me, therefore it is safe for you to do the same. It also tells you that if you get into trouble for telling me these things there will be a few other employees in trouble too. We feel happier being in trouble as a group than as an individual.
- Authority: The tourists are strangers in Napoli. They don’t know the city, they almost certainly don’t understand Italian business and tax rules so they are in a weakened position. The waiters hold a position of authority in this scenario. For the most part human beings want to comply with requests from people in authority. We are less likely to challenge a request made our boss than we are one made from a colleague in an equal position. This is easily exploitable by the social engineer and is the reason CEO fraud is so effective. CEO fraud describes the situation when an attacker contacts you pretending to be your boss or a high-ranking manager. They will ask you to disclose information or transfer money or data into an account. Despite victims always reporting that they thought it was a strange request they still comply without question because of the authority that person has. The more hierarchical a company is, the bigger the risk of being attacked in this way.
What you can do
- Double check: Get presented with a strange sounding scenario? Google is your friend. A quick search would reveal no commentary on the pizza tax. You should read up on places you visit. There are lots of comments on TripAdvisor on scams that get played out in cities around the world. If you are at work and receive an odd email from your boss call them and clarify. If anything, they will be impressed at your due diligence and security awareness.
- Gifts and reciprocity: “Nothing in life is truly free”. Remember that complimentary gifts, favours and unsolicited advice are going to make you feel compelled to reciprocate. Be aware of this as you enter situations with people you don’t know.
- Money makes you a target: I travel a lot as a speaker and one thing that I notice a lot is tourists carry a large amount of cash with them that they then seem to count out in public when paying for things. This reinforces to the person you are paying that you have plenty of cash. Most countries in Europe operate on a fairly cashless basis nowadays. If you don’t want to face bank charges you can preload cards with money to pay with making you look more of a mystery and also potentially appear like more of a seasoned traveller. You also have a polite excuse for not being able to part with cash for whatever reason because you don’t have any cash on you!
Although these examples are low level scams that are amusing to watch, the principles behind them are used every day by cyber criminals to gain access to your company or home devices. There is no easy patch for social engineering, no easy endpoint solution. The consequences of a social engineering facilitated attack are serious and your options for automated defences have limited scope. The best defence is to develop your awareness of the tactics used, how to spot them and how to make yourself and your company appear to be a less attractive target.
Want to learn more about social engineering? Check out our GCHQ certified course.