What makes a great spy? Great operatives display key characteristics which enable success, such as being sociable, professional and discreet. To obtain information, they need to cultivate genuine, personal relationships while maintaining some degree of impartiality. People need to feel that close associates care about them as individuals, understand the trials and tribulations in their lives and, as they convince them to undertake things they should not do, cultivate a sense of shared excitement while downplaying the risks.
Spies are constantly looking for those with access to information otherwise difficult to obtain, then building relationships to obtain that information. The best spies are those we see as “people persons” — able to chat up anyone they meet and get them to do the talking. These are people with whom you instantly feel comfortable being around. And how do they get people talking? They demonstrate this caring attitude from the start to get you to open up about yourself. Why? Because the subject matter we know the most about and feel most comfortable talking about is ourselves!
Spying has gotten a whole lot easier through social media and social engineering. Social media provides a psychological outlet to tell the world about ourselves. It opens an unrestricted forum where people really want to know about me! Since most of us define ourselves based upon our work, hobbies or friends, it’s easy for those seeking to do us harm to select key traits which they hope will give them access to our personal or work information. These people are masters in the art of social engineering or designing traps based upon “trust” to manipulate unsuspecting targets to provide access to private, confidential information.
In the cybersecurity world, we use the term “phishing” to describe general attempts by a hacker to gain access to our bank accounts, passwords and private information. By pre-identifying information about their victims such as their bank, hackers can devise a targeted email with the bank logo and quick links for login, then manipulate us into responding and providing them with our account information and passwords. This targeted attack is known as “spear phishing,” as they already have some idea of the target’s characteristics and design a trap specifically for them.
Other criminals are using “catphishing” scams, by building false identities to develop romantic connections with unsuspecting victims. In this scam, the catfisher builds a beautiful online presence with a very attractive picture, a great profile and through his/her skills becomes a smooth talker/chatter by praying on the vulnerable victim. In some cases, requests to meet this wonderful person are met with difficulties which can only be overcome if the victim sends them a “temporary loan” to pay for tickets and hotel. After the money is sent, “ghosting” occurs where the site and the person disappear into thin air.
In other cases, victims may actually meet the catfisher who turns out to be a blackmailer, sexual deviant, or even a white slave trader, convincing his victim to go with him, where the victim is then forced into prostitution or slave labour. In all cases, the catfisher is looking to exploit his victims who far too often are children, teenagers, and women.
Catphishing is also used for corporate crime and espionage. The victims may be targeted for their association with a particular business or government organisation. Once contact is made, the attacker can install the malware in the victim’s work computers through their digital interactions. This can include keystroke loggers, trojans, worms, viruses, and ransomware.
The catfisher can also use old-fashioned espionage tricks by getting to know their victims, asking probing questions about their work areas and using any information available to blackmail their unwitting victims into committing corporate or government espionage.
Social media engineers are not just interested in money and access to your accounts for quick gain and identity theft. They often seek to exploit us in other ways. Some terrorist and criminal organisations seek to recruit unsuspecting people to join their effort through social media. This technique was used by terrorists to recruit new members, including Hoda Muthana, a 19-year-old US girl who was recruited by IS to join its cause in Syria. Muthana then used social media to recruit others to the cause.
Others have used colluding attacks through unwitting Facebook friends to target potential victims who may be in the same social circle for financial gain, espionage or other nefarious acts. While one person may receive the friend request, the actual target may be several “friends” removed from them as the attackers work their way through your associated friends until they find the perfect victim. You wouldn’t turn away a “friend of a friend of a friend” would you? Maybe you should!
To protect yourself, look for and avoid social media contacts with these characteristics:
Extraordinary online profiles that are just “too good to be true.” This may include an unusually high number of academic degrees or certifications, extraordinary achievements, and other unusual measures of
career success, in addition to highly attractive photographs of the individual. These people will also rarely if ever have pictures in their profiles with other people or groups.
Social media contacts who will not meet you in person and offer excuses for not doing so.
Contacts who want to meet you alone in areas where you may be abducted. Always go with a trusted friend for any initial meetups.
Inquisitive contacts who immediately try to uncover your home or work address or ask far too many personal questions about you, your family, your work or your friends.
(Iyengar is University Distinguished Professor and Director, School of Computing and Information Sciences, Florida International University (FIU), Florida; Madni is Distinguished Adjunct Professor, Electrical and Computer Engineering Department, UCLA; Miller is Associate Director, Robotics and Wireless Systems at Discovery Lab, FIU)