Fraud Training: Interrogate the Enemy
During your fraud training exercises, fostering an attitude of curiosity (or in the corporate world, a culture of curiosity) is the most powerful critical thinking skill in your arsenal of tools to protect sensitive information. Employees who can think critically and ask the right questions regarding data privacy make up the fabric that supports a Culture of Privacy. Interrogation is the art of questioning someone thoroughly and assertively to verify intentions, identities and facts.
Questions: Who’s in Control? Can I Verify? What are my Options? What are the Benefits?
When spies need information, they ask for it. They “socially engineer” or con their victims with a variety of tools.
The primary tool for evaluating risk once your reflexes have been triggered (Hogwash) is to interrogate the person or institution asking for your information. Interrogation is not meant to be about forceful or physical questioning. I define interrogation as clear, aggressive questioning used to establish whom you can trust, how far you can trust them, and with what information.
Sticking with the language of espionage, an Enemy is anyone or anything (including a computer, fax machine, email, letter, etc.) requesting your information, information of someone you know, or information about your organization. It is not designed to make you confrontational or warlike – that is taking the metaphor too far. Once you have established a trusted relationship, you are no longer in enemy territory.
Social Engineering: Scams that play on your Human Emotion
If it seems too good to be true, it probably is. 
That is the best way to Think Like A Spy and be alert of Social Engineers that are trying to manipulate you. With such a gloomy economy and many people without work, offers for fast cash and huge discounts become more and more attractive. Most of these Identity Theft cases use the technique of Social Engineering.
Social Engineering is the act of manipulating people into performing actions or divulging confidential information by playing on their human emotions. The term typically applies to deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. These days most thieves can nab your identity over the phone, mail, email, and through social networking sites such as Facebook and Twitter.
While some schemes scam you into giving out social security numbers, bank account numbers or other confidential identity pieces, others are as simple as a pickpocket distracting you emotionally while another thief steals your wallet or purse. Here are what a few of the most widely used savvy cyber attacks look like:
- Phony charitable phishing scams, many of which are designed to look as if they come from real charities. Always enter in the exact URL for the Charity that you wish to donate to rather than clicking on a link.
Practice the Privacy Reflex
The Privacy Reflex
When I am training corporate executives, managers and employees to detect fraud and social engineering (manipulative information-gathering techniques), I take them through what it feels like to be conned. In other words, I actually socially engineer them several times throughout the presentation so that they begin to reflexively sense when more fraud is coming. There is no substitute for experiencing this first hand.
The Trigger—Requests for Identity
Spies are trained to instantly react when anyone asks for information of any kind, whether it is theirs or someone else’s. The trigger, or what causes you to be on high alert, is actually very simple—it is the appearance of your identity in any form (wallet, credit card, tax form, passport, driver’s license, etc.). Anytime someone requests or has access to any of the names, numbers or attributes that make up your identity, or to the paper, plastic, digital or human data where your identity lives, the trigger should trip and sound an alarm in your head.
When your identity is being requested in any way, slow down and ask yourself: Is the risk of giving this piece of identity away in this specific situation worth the benefit?
Facebook Exposes White House Party Crashers
Tareq and Michaele Salahi — Washington socialites are not just known for their possible roles in the upcoming “The Real Housewives of Washington,” but for being seen arriving at the White House State Dinner. The problem was that they weren’t on the guest list, but managed to work their way inside what is supposed to be the most secure party.
The couple took to Facebook to document their party-crashing, and on Wednesday, Michaele Salahi’s Facebook page included photos of the couple at the dinner. The Salahis weren’t exposed until journalists caught sight of pictures showing the Salahis posing with President Barack Obama, Vice President Joe Biden and others. In the aftermath, the security breach looked more like a publicity stunt than a security threat. The Secret Service admitted that they did not verify at each checkpoint that this couple was on the invitation list. In other words, they missed the second cardinal rule of security, Verify.
News stories like this bring Facebook Privacy into the spotlight once again. Facebook is becoming used more and more in legal cases and as evidence for both the prosecution and the defense. Last month, Facebook was used to prove that a crime suspect was posting a status message from his father’s apartment in Harlem and not mugging a victim at gun-point. The charges were immediately dropped.
Is Sarah Palin Safe? No. Identity Theft and Government Officals
You’ve probably seen in the news that a hacker gained access into Sarah Palin’s Yahoo.com email account. The hacker used a simple scheme and basic social engineering tools (research on Google and Wikipedia, common-sense guessing) to reset the password on the account and assume ownership of her email. [For a full account of how a professor, Herbert H. Thompson, used these tools to steal a friends identity (with their permission), visit his recent and extremely interesting article, How I Stole Someone's Identity and the companion radio interview.]
In addition to denying Governor Palin access to her own account, the hacker had full control to:
- Read every saved and current email in her account (hopefully she never sent her Social Security Number, passwords or account numbers via email, not to mention correspondence pertaining to her role as candidate for Vice President of the U.S.)
- Steal the email addresses and any other sensitive information stored in her contacts (John McCain might want to change his email address)
- Send out emails as if the hacker were Sarah Palin, or worse yet, send out official emails as Alaskan Governor, Sarah Palin
The potential for abuse is mind boggling. Sarah Palin should take immediate steps to protect her stolen identity and to secure her future privacy. Here are a sampling of the steps I would recommend:
Sileo In the Media
Privacy Project Newsletter
Tools and tips for bulletproofing yourself against identity theft, data breach and corporate espionage. Subscribe to the newsletter and get John Sileo's 7 Survival Strategies for Starving Data Spies for FREE!
