The year is 1990. The target is a rich builder who has just started his seventh project in the bustling city of Mumbai. As he reaches his new construction site in his sleek chauffeur-driven car, he fails to notice the young man at a tea stall a few shops down the road. The young man, and three others spread out around the site, however, make a mental note of what time he has arrived so that they can guess his pattern and convey it to their paymasters in Dubai.
In another part of the city, a duo on a motorbike is stationed outside the school that the builder’s 10-year-old son attends. Another man is keeping watch on the builder’s house, taking in the security there. A week later, the builder gets a call that starts by telling him his own and his family’s daily routine and ends with a demand for Rs 10 crore. Fast forward to 2024. There are 12 people in the warehouse, all of them working on laptops connected to encrypted external hard drives and high-speed internet routers. Coffee and pizza are free-flowing as the hackers scrape all the available information on their targets through social media, professional networking websites, and any other online platform. By evening, the hackers have comprehensive dossiers on all employees of the cryptocurrency platform they are targeting.
The next day, an email domain similar to the target company’s business email account is created, and emails written using AIbased language models are sent out to all employees. The emails carry a link, and the link hides malware, a malicious software programme. One of the hundreds of employees opens the link, thinking it to be a genuine email from a colleague, and just like that, the hackers are in. Around 48 hours later, millions of US dollars in cryptocurrency are transferred to accounts controlled by the hackers.
The process described in the first scenario was simply known as ‘information gathering’ or ‘conducting a recce’ of the target. In the age of cybercrimes, this same process has now evolved and been fine-tuned repeatedly, and is known as social engineering—using manipulation to gather information about a target and exploit it. In both the physical and virtual realms, the methodology is the same: gather information about the target and use it in the most effective way possible.
The earliest phishing rackets—tricking people into revealing personal information or clicking malicious links—were devoid of research. Cybercriminal gangs based overseas would send out thousands of emails with various themes—inheritances from dying kings of distant countries, lotteries in random lucky draws, customs or import charges on mysterious gifts received from unnamed benefactors, or a customised daily horoscope in exchange for a hefty payment.
Social engineering first came into play when phishing evolved into spear phishing, a more targeted form of phishing where attackers gather specific information about their victims to increase their success rate. This is a targeted form of phishing, where the con is engineered to suit the intended victim. Hence, from sending out Facebook requests at random, sextortionists posing as women started taking a look at the ‘likes’ and ‘comments’ posted by men on photographs of other women before sending them friend requests. Overly ‘macho’ profile pictures, posts about one’s own virility, and extra efforts to impress women that would otherwise be regarded as cringe-worthy became other indicators of a target fit for sextortion. Then, phishing moved to the corporate space.
The evolved class of cybercriminals realised that companies held more money in their accounts than individuals did. But you couldn’t sextort a company. You could, however, fool those in the accounts department into thinking that they were making legitimate payments to genuine business associates. Around 2021, numerous cyber threat research agencies started noticing that phishing emails received by corporate employees were getting increasingly accurate—to the point of using the names of senior employees in the company to get payments released. Further research led to a scary revelation: spear phishing gangs were spending hours on LinkedIn to identify who their targets reported to and set up email accounts to impersonate these superiors.
Today, social engineering has become an even bigger, and scarier, monster. Last Wednesday, Penpie, a cryptocurrency platform based in the United States of America, disclosed publicly that they had lost over $27 million in cryptocurrency to a cyberattack. Subsequent research indicates that the hackers behind the cyberattack used social engineering to hack into Penpie employees’ emails and then worked their way to the server from there. This development is especially pertinent to India because, based on all the digital traces unearthed so far, Penpie seems to have been targeted by the Lazarus Group, a notorious North Korean state-sponsored hacking group. Lazarus is also credited with the WazirX hack in July, a major breach of a popular Indian cryptocurrency platform.
Apart from going after high-value crypto platforms, social engineering is another signature move associated with Lazarus. A different form of social engineering is used by pan-Asian gangs that trawl through job portals and lure jobseekers with attractive offers in foreign countries. In reality, these jobseekers are trafficked into Vietnam or Myanmar, where they are made to perpetrate cybercrimes like investment fraud and dating app fraud. The ‘recruiters’ pick out those looking for IT jobs abroad, tailor the offer as per the expectations, and come out with a dream offer.
The solution? 500 per cent extra vigilance. It is high time we stop patting ourselves on the back and claiming that all our data is secure. It is the age of the internet. Privacy is a myth. Personal data is leaked from a hundred different repositories every day and sold on the dark web. Hence, check incoming emails—and the sender’s email ID—carefully, make 10 calls before releasing a payment, Google the name of the company offering you that dream job, and don’t fall for that woman on Facebook, no matter how alluring her display picture is.
Zero-Trust Policy, a security framework that assumes all users and devices—inside or outside a network—cannot be trusted without verification, isn’t just a cool phrase cyber experts like to throw around. It may be the only thing standing between you and certain disaster.
