When Social Engineering Meets Sherlock Holmes

When Social Engineering Meets Sherlock Holmes

‘Tis the season of social engineering…or is it?

Truth be told, social engineering perpetrated by bad actors never takes a holiday, which means there is no one season where it’s more prevalent than another. Social engineering and its puppet masters adapt to us and our changes in the same way we adapt to the weather. When it gets cold, we put on a jacket; when it’s tax season, social engineering will ask for your W2 information. It’s a master of disguise, which is where its effectiveness lies.

In the past few years, the world has seen social engineering take on a few of these seemingly ordinary, yet questionable forms: text messages from executive team members asking staff to call them back, emails from senior staff asking for a wire to be processed, emails from credit unions asking to verify account details, messages from the IRS asking for tax information, inquisitors asking for gift cards as a form of payment and pop-ups on websites alerting of viruses or malware.

During the pandemic (and this applies to any hard time, really), bad actors ramped up their activity to take advantage of widespread financial struggles to the tune of a 69 percent increase in cybercrimes between 2019 and 2020, according to the FBI’s Internet Crime Compliance Center. We’ve even heard reports of bad actors posing as repair technicians and carrying out their attacks in person, hiding in plain sight.

These are just a few scenarios that have befallen financial institutions. Remember that we’re a major target in the social engineering world because of our direct access to money and people’s sensitive financial data.

That’s the bad news.

The good news is that there’s an infamous literary sleuth (in a dashing hat, might I add) who just may hold the inspiration for your social engineering preparations. Yes, I’m talking about the whimsical, offbeat and ingenious Sherlock Holmes. Now if you’re wondering what in the world Sherlock Holmes has to do with social engineering, let me show you the reasoning behind the madness.

You see, most social engineering attempts can be thwarted by three simple strategies that Sherlock Holmes would certainly approve of:

Gather the facts before anything else. First things first, slow down and ask yourself a few questions. Context clues can go a long way in helping you solve the social engineering puzzle. Think back to your early education days and remember the five Ws and one H – who, what, when, where, why and how?

For example, if the CEO is texting you, let’s consider the WHO – who is it that you’re talking to? The texter says they are your CEO, but is it really? If you have a company-issued mobile phone and text with the CEO from time to time, all the legitimate messages from that person will all show up under the same text chain, never from a random number.

Now for the WHAT – what are they asking me to do? If there is something important enough for the CEO to reach out to you by text, they will probably not be asking you to call them back. They will call you directly or contact your supervisor.

How about the WHEN – when did this text message arrive? If the CEO sends you at text message from an unknown number at 2:00 p.m. on Tuesday, is that perhaps a little strange? There are so many more effective ways to get in touch with a staff member in the middle of a workday. In-office messaging, email and direct phone calls are just a few ways that would make more sense.

Next, determine the WHERE – where does the CEO want me to call them back? If they have a company-issued mobile phone, company-issued email, company-issued desk phone number, calling them back at an unknown number should indicate some red flags.

Then there is the WHY – why is the CEO reaching out to me? In a typical corporate environment, there is a hierarchy with the CEO at the top, then other executives, then directors, then middle management and so on. The further removed you are, the less likely the CEO would be to reach out to you directly, right? There is a reason for the chain of command in every department and throughout the company, so this scenario is somewhat suspicious.

Finally, we get to the HOW – how did the CEO get my number? If you have company-issued mobile phone and do not text with the CEO, or got a random text from them on your personal phone, ask yourself…how did they get my number? The CEO likely has other pressing matters to attend to rather than looking up your personal mobile number.

This process of questioning things is the same as looking for red flags in an email. If one red flag does not make a bad email, then the same can be said here. One good answer to one of these questions does not make a good situation. When these kinds of situations come up, do your best Sherlock impression and work through the questions to get a better sense of the safety of the situation.

Get your members involved. If your credit union is a target, so are your members. That means educating them on social engineering tactics and prevention is just as important as educating your staff. They, too, are participants in the bad actors’ twisted games, and they should know how to play.

How can you do that? For one, keep social engineering top of mind for members. Display messages on your website (and update them often so the idea isn’t static), send emails about recent scams and even host seminars about social engineering. Give members the opportunity to learn all that they can to protect themselves and your credit union from becoming victims.

However, if a member does fall victim at some point, kindly and gently enlist their help. Yes, they are going to be going through several emotions of anger, guilt, embarrassment, grief, etc., but they also have key insight that can help all parties learn from the situation and maybe even put new policies in place to, hopefully, avoid future losses.

Become a bad actor…for good! In other words, do a little undercover brain work and think like the people behind the social engineering attacks. Try to put yourself in their malicious mindset and go through their motions. They don’t just randomly pick a name and an institution to target – they study their prey like lions in the tall grass, so do the same to them.

This is another place where that first-hand experience from members who have been victims of social engineering attacks would be incredibly helpful, as they were an integral part of the bad actor’s process. In the end, these steps may provide some foresight into future attacks and actions you can take as a credit union to be a step or two ahead.

It might seem like a “curious” crossroads between social engineering and Sherlock Holmes, but often times, it’s the roundabout road that leads us to an exceptionally satisfying outcome. So, with these tactics in your social engineering arsenal, I invite you to put on your tweed deerstalker hat, pick up your spy glass and try your hand at being a sleuthing extraordinaire. The results may just be anything but “elementary.”


Mike Bechtel is an information security analyst for Vizo Financial Corporate Credit Union. As such, he provides incident response planning services, information security risk assessments, security awareness training, social engineering and vulnerability testing and reporting and information security-related consulting services to credit unions.