up:: [[Social Engineering Techniques|social engineering]]
### Major Lessons Learned from Rachel Tobac on Social Engineering
## General Principles
1. **Thorough Reconnaissance is Crucial:**
- Spend ample time (up to a month) gathering detailed information about the target.
- Understand the company structure, key personnel, and internal processes.
2. **Crafting Convincing Stories:**
- Develop believable scenarios and backstories to gain sympathy and cooperation.
- Use emotional appeals and urgency to prompt immediate action from targets.
3. **Exploiting Human Psychology:**
- Leverage trust, authority, and fear to manipulate targets.
- Build rapport through personalized interactions.
## Specific Techniques
##### New Employee Ruse
4. **Posing as a New Employee:**
- Posing as a new employee allows for asking numerous questions without raising suspicion.
- This tactic is effective for gathering sensitive information within a corporate environment.
##### Chat-Based Approach
5. **Initial Contact via Chat:**
- Use chat services to pose as a customer needing urgent assistance.
- Aim to change the registered email or phone number to gain administrative access.
##### Phone Call-Based Attack
6. **Phone Call-Based Attack Benefits:**
- Less of a digital paper trail.
- Ability to build rapport through voice, making it easier to sound trustworthy and persuasive.
7. **Using [[Caller ID Spoofing]]:**
- Caller ID spoofing can be easily and cheaply done using apps.
- Effective for impersonating customers during [[Social Engineering Techniques|social engineering]] attacks.
8. **Creating Emotional Appeals:**
- Use scripts that elicit empathy and urgency, e.g., posing as a stressed traveler needing access to funds.
9. **Limitations of Phone Spoofing:**
- Cannot receive text messages.
- If the bank calls back, it won’t reach the attacker’s phone.
- Spoofing only mimics the caller ID without giving actual access to the number.
##### Overcoming Verification Challenges
10. **Providing Fake Documentation:**
- Use photoshopped documents for additional verification when required.
- Recognize that institutions often do not thoroughly verify details beyond matching names and addresses.
##### Investigating Insider Threats and Leaks
11. **Posing as a Journalist:**
- Create a fake journalist identity to gather information about sensitive company activities.
- Use direct messaging, emailing, and texting to contact potential insiders.
12. **Exploiting LinkedIn:**
- Use LinkedIn to identify key personnel with relevant skills and roles.
- Target individuals likely to have access to sensitive information.
13. **Exploiting the Hiring Process:**
- Apply for jobs to exploit the hiring process for gathering information about company activities and technologies.
- Create convincing fake profiles with resumes, LinkedIn, and other social media accounts.
- Ask targeted questions during interviews to extract sensitive information.
##### Using AI to Trick Individuals
14. **Voice Cloning and Spoofing:**
- Use voice cloning tools to mimic a target’s coworker’s voice.
- Create plausible scenarios requiring the target’s cooperation.
15. **Creating Plausible Scenarios:**
- Develop scripts that are direct and to the point to minimize follow-up questions.
- Position the target to be available when making the spoofed call.
#### Defensive Measures
16. **Identify Edge Cases:**
- Understand scenarios that could be exploited.
- Prepare responses for unusual or suspicious requests.
17. **Implement Callbacks:**
- Verify the caller’s identity through a callback system to thwart spoofing.
18. **Email Verification and One-Time Passwords:**
- Ensure secure communication and identity verification.
19. **Use Two-Factor Authentication (2FA):**
- Replace knowledge-based authentication with more secure methods.
20. **Service Codes, PINs, and Verbal Passcodes:**
- Add layers of security for account access.
21. **Involve Management:**
- Loop in higher-level personnel for internal support tickets and sensitive requests.
22. **Educate Employees:**
- Train employees to recognize [[Social Engineering Techniques|social engineering]] tactics.
- Promote a culture of skepticism and verification for unexpected requests.
23. **Regularly Update Security Protocols:**
- Stay informed about the latest [[Social Engineering Techniques|social engineering]] techniques.
- Continuously improve and adapt security measures to address new threats.
[Original Podcast](https://open.spotify.com/episode/6nPX7nFtocIK4Yqz28jQQ8?si=vzYOiAB9RQCUUNo_34XXrQ)