This guest post comes from Peter Warmka, a retired senior intelligence officer with the U.S. Central Intelligence Agency (CIA) where he specialized in clandestine human intelligence collection. With 20+ years of breaching security overseas for a living, Warmka is now dedicated to educating businesses and individuals about human hacking and AI threats.
Throughout my life, I have always believed that human psychology should be considered a core competency within our educational system. It not only helps us in our day-to-day interactions with people; it also helps us better understand ourselves. What truly drives us? What are we seeking? What are our motivations and vulnerabilities?
The reason why today’s fraudsters can successfully conduct multi-million-dollar data breaches of corporate IT networks or defraud people, especially the elderly, out of their life savings is that they understand us better than we understand ourselves. We shred our privacy and expose our inner selves by the information we share on social media.
Have you ever thought about what can be learned from our profiles? Let me give you examples from four different platforms:
- LinkedIn: a resume on steroids! Our academic and work history, professional associations we belong to, certifications and licenses, volunteer work (our passions), network of contacts, etc.
- Facebook: our hobbies, interests, favorite books/movies, favorite sports teams, favorite food/beverages, travel history, future travel plans, pictures revealing our socioeconomic status, etc.
- Twitter (X): access to our mind, what are we thinking about, political leanings, religious convictions, opinions, pet peeves, etc.
- Instagram: pattern of life, what is our routine by the pictures we post, going to the gym, spa, happy-hour locations, etc.
With this assessment information, a social engineer can identify our motivations and vulnerabilities such as the importance of family, career, luxury goods, social status, financial stress, hate/revenge, ego, and addictions of various types. These motivations and vulnerabilities are then leveraged in their approach to us. That approach can be via email, text messages, social media platforms, telephone calls, and even face-to-face encounters.
The element of human psychology that these scammers most leverage is our tendency to trust anything and everything that is conveyed to us, whether in written format or spoken word.
This blind trust is what leads people to fall for romance, impersonation, and investor scams. While scammers have always devised innovative schemes leveraging blind trust along with influence factors such as scarcity, fear, authority, reciprocity, and liking, the advent of artificial intelligence (AI) is already widening the playing field for the wolves to the detriment of the innocent, yet naive, lambs.
Let me give you an example:
“Vishing” is a popular technique utilized by fraudsters to telephone a target pretending to be whoever they want to be. They could impersonate law enforcement, someone from social security, the bank where we have our account, a streaming service provider, the school where our children attend, etc. For years they have utilized call spoofing where the caller ID seen as the incoming call is actually the phone number of the impersonated party. This adds credibility that they are who they say they are. Today, with AI voice cloning, these calls also are conducted by the fraudster using the voice of someone we may know and trust. Their goal is to deceive us into effecting a fraudulent payment believing that it is a request from our boss or a demand from the kidnappers of a loved one.
While these cons are on the rise, we do not hear or read very much about them. The reason is that victims tend not to report them out of fear of embarrassment.
I strongly encourage victims to share their stories as this helps raise awareness and hopefully protect others from falling victim.
In addition to minimizing the amount of information we share about ourselves on social media, we need to exercise more critical thinking as it pertains to potential approaches used by fraudsters whether through email, text message, social media, telephone calls, or face-to-face. Can we blindly trust that they are who they say they are? We must first determine what is their “ask” and what might be the outcome if we blindly comply with the request to provide sensitive personal information or make payment to them.
If blind trust could lead to a potentially detrimental outcome, we must first “verify, then trust.”
Following this added step will significantly reduce any possibility of being deceived. Security is never convenient, but neither is falling victim.
Peter Warmka is founder of the Counterintelligence Institute. He is a sought-after speaker and the author of two books: Confessions of a CIA Spy: The Art of Human Hacking, and Why Are You Messing With Me? Senior Survival Guide on Fraud, Privacy, and Security.
* Listen to Peter Warmka and Johanna McCloy’s conversation about their respective CIA-related lives and books, recorded in September, 2021. *
Great piece. I especially like the mantra “verify then trust.” These days we all havr to adopt the ethos of a journalist – or an x-spy!
Yes, indeed. Ain’t nothin’ wrong with verifying someone’s identity and ask, before taking any action. As the expression goes, “better safe, than sorry.”