A scam of this kind uses fear to make people act irrationally. It's an extreme example of getting people to worry so much that they just stop thinking. All the stress levels go way off the scale, and you're no longer able to rationally decide.
Later in the show, my colleague Kevin Mitnick, and our Chief Hacking Officer, described telephone pretexting. He pointed out that while phone companies have improved their authentication methods over the years, these attacks are still very effective.
“Organizations are commonly still pretexted as we sit here, and that is a very strong form of social engineering because we get instant compliance,” he said. “So if I can call somebody up at the company, pretend to be from IT, call somebody that I know is not technically astute, have them enter one command into their computer, and they don't understand what they're entering but they believe it's going to fix a problem - and then you get instant access. And that, in some cases, is much better for the attacker than waiting for someone to open up an email.”
John Boyd would have said that pretexting works when the victims let the attackers push them to observe and act, without orienting and deciding.
Attackers have an endless variety of social engineering attacks at their disposal. New-school security awareness training can give your employees the knowledge they need to recognize the fundamentals of these scams, no matter which form they take, and to stay inside the attackers’ OODA loop.
It was a great conference, and we hope to see our colleagues and friends again next year at KB4-CON. You can listen to all of our fun conversation with the CyberWire on this special episode of Hacking Humans:
Listen here! https://thecyberwire.com/podcasts/cw-podcasts-hh-2019-05-16.html#.dpuf