Operational Psychology - Social Engineering
“Social Engineering is everywhere, in religion, in advertising and in our personal relationships...”
Modern ‘Operational Psychology’ and ‘Social Engineering’ were born out of World War II and have been at the centre of intelligence gathering and latterly of corporate or industrial espionage for many, many years.
“You may think that you have not come across ‘Social Engineering’ before, but you have, it’s all around you, in the supermarket, in the home and in Religion”
Social Engineering is all about getting yourself or someone else to willingly do, say, buy, or like something or to have a particular opinion on an issue. It is a very simple human psychology that when refined and used within espionage can produce outstanding results time and time again.
Most academics and experts will agree that it was the Russians that spent the most time exploring Operational Psychology and Social Engineering during the early stages of the Second World War; sure Social Engineering had always existed, the earliest form and perhaps the most successful even today is of course the use of sex either in direct payment for information or as a form of getting close to a target to have them feel at ease so that they volunteer that information (pillow talk). Easy, cost effective (quick) and done right, you can keep going back for more information. In war as in business, information can come easily and at the right price.
Targeting an individual for corporate espionage purposes
The digital revolution or age of the internet and growth of social networking has allowed a huge increase in the amount of quality information in cyber space on most (normal) people and on companies; making in some cases quite complex and brazen Social Engineering far easier. Ironic when many complain about government snooping and privacy, that most people produce vast amounts of information on social media, the “(active) Digital footprint”.
Numerous large corporations do not have a social media strategy and have a lack of understanding towards internal and external espionage risk; this combined with the absence of education in the field of espionage adds to the overall accumulation of risk – what information might be damaging to security and does your organisation have a lack of training in that field ? (see: Counter espionage, whose responsibility?)
Carrying out quite rudimentary research and analysing the (active) Digital footprint aids in the selection of the right person within a company or organisation who can give you access to the information that you require; giving you a starting point.
Most of us are susceptible/vulnerable to social engineering and more at some time, so picking the right target and choosing the right time to act is very important. I have touched on MICE before in other articles and with Social Engineering it really comes in to play: MICE is the acronym for Money, Ideology, Coercion and Ego, fundamental/key “influence factors” in espionage.
People are diverse and will be influenced by different things, once you have found the person hat you want to work on, it then becomes all about finding any weakness, and what makes them tick. In this economic climate, exiting a Worldwide recession, commercial intelligence is more vital than ever. It’s a tool called upon to aid decision makers, although it's often exploited further, crossing legal and ethical, boundaries and into realm of corporate or industrial espionage.
“Espionage is rife in the world of mergers and acquisitions, large tenders, litigation, research and development and sport - espionage is everywhere.”
Risk and effort vs reward
Only risk and effort vs reward can help reduce espionage becoming a more common occurrence. Corporate or industrial espionage is big business and always at the forefront of the espionage business is doing something with the lowest possible risk, usually for a large payoff; payment in intelligence and/or financial gain…
Much commercial intelligence gathering is done legally, companies do it all the time, reward cards for example are the biggest intelligence tool. Take a look at Google for example, it knows your life mainly because of information that we willingly supply to various social media sites. But, what then when companies want to cross that line between legal and illegal intelligence gathering?
“What if we could get our hands on…” Those conversations taking part in boardrooms all over the world. It is then that people would start to weigh up if such action is worth the risk, the fallout from a large litigation case for espionage would ruin many companies and their reputations, it could be a PR disaster. And it is that reason alone that keeps corporate/industrial espionage in check.
There will come a point of course when the potential rewards will outweigh the risk and effort, everything has its price…
“Isn’t it all about cyber security and hacking these days?”
Technical Surveillance or (Signals Intelligence – SIGINT) is of course an option, but an option with limitations, not without risk and something that needs to be done properly or not at all. Gaining access to email accounts and computer systems used to be a lot easier. Until quite recently, few people knew, or cared about their internet security. Many did not even have any anti-virus software, let alone keeping it updated, and people would open email attachments without a second thought. (many still do!)
Within espionage, Phishing emails and hacking still come in to play although they are far more advanced and targeted than the general one you might see day to day. Many aficionados of espionage will stay away from hacking; it is a very specialist subject, and maybe not ideal in the first instance, especially if targeting a large company. Social Engineering can be used effectively in complex “data breaches” but if penetration is not done correctly the house of cards will tumble prematurely and remember, people are far easier to cheat than computers!
People – Human Intelligence (HUMINT)
When most people think of espionage they think of the planting of eavesdropping devices, trojan horse key-logging software or telephone interception, all good examples, all very useful but often human intelligence (abbreviated as HUMINT) is of a greater prize and more rewarding long term.
Human interaction within espionage does have its immediate setbacks, like the perpetrator(s) being easily identified. But what if with the use of social engineering the targeted individual willingly gives you that information without even understanding how important that information is or how it fits into the bigger picture.
HUMINT is very dynamic, where Trojan horse or key-logging software can tell you what an individual or a group of individuals is sending/typing, HUMINT can tell you what a company is thinking, what it is planning; the bigger picture stuff. Yes, electronic surveillance is good but it is often part of the overall picture and human intelligence will always give the opportunity to propagate other intelligence sources and broaden the scope/field. A monitored email might tell you that the CEO is travelling to Oslo on Saturday, but it is human intelligence that will tell you most likely where and what he/she likes to eat, his/her children’s names and if he/she displays any obvious flaws or influences that might be exploited later.
A good intelligence source “played” well will volunteer information, often Social Engineering is used early to help establish a relationship where you have the upper-hand, where you remain passive, yet in full control. The dynamic nature of HUMINT means that once a relationship is established with a source, direction and method can be changed to suit the direction of the intelligence gathering task. If all else was to fail, a last ditch effort might be to move from Social Engineering & MICE towards blackmail in order to get that last piece of vital intelligence. All is fair in love and war, it’s just knowing what buttons are to be pressed and when.
Personal motivation – what floats their boat?
Social Engineering is about influence and motivation. Operational Physiology as it is today did not develop over-night, the Internet (& Social networking) has brought about huge shifts in behaviour; social networking has brought egos to play where before very few people behaved in such an egotistical manner. Phycologists have had a field day and have literally rewritten the book on human behaviour since the advent of Facebook!
What is important is not just the information that people post on social media - that is golden in intelligence terms, it’s the way that people behave to things that are posted that is the most interesting; and we have all seen it… How many times have you seen a friend post that such and such film/pop star has just died when in reality this happened three years ago? How many people then “re-like” or share that post? People are like sheep and it’s that pattern of behaviour that can all to easily be exploited.
“If it is on the internet then it must be true”
As a company that carries out due diligence it is astonishing how many times people fall foul of information that is put “out there” on the Internet to reinforce something that is not true. It’s really easy and people do it all the time…
Take Nigerian scams (419 scams) for example, they are all about convincing you that you are going to get some money for nothing, mostly by preying on your greed, you think that they are in distress, stupid or thick and they reel you in, very often using newspaper articles on real people or events to back up their story; then there are those that go further and create “news” websites, blog pages or LinkedIn accounts to back up that information. It’s all about creating confidence whilst playing on the other “influence factors” Money, Ideology, Coercion and Ego.
The “Agent” recruiting process
Those that carry out espionage via HUMINT sources will carry out a well-rehearsed check list of research; starting of course with the target company, then going on to look at who is best placed to give the information required based on the MICE principles of “influence”.
- Social Engineering basics (for espionage)
- Research - the target company
- Research & Identify – likely Agents/intelligence sources
- First contact – engineering a first contact
- Building trust – a “convincer”
- Extraction of intelligence
The above is just a basic example of what an agent recruiting process might look like. At the end of the day, if you were targeting a company for espionage and needed a source/agent, then it’s about what works for you, within your timescale and budgetary restraints at that given time.
Social Engineering is about manipulation and control. Manipulation of an individual or group of people, and the control of them and their environment. There are many techniques to manipulate a person or group of people, from suggestibility and positive reinforcement, through to intimidation. Different people respond to different manipulation techniques, and it really depends on who is doing the manipulation, where and when.
Initial contact is the most important thing. Prior to even thinking about how you might set up an initial contact, you would need to think about how you were going to play this, are you after quick intelligence, or are you after a long term relationship and long term source of intelligence?
Most of us remember when we first met someone and in the case of trying to recruit an agent/source, the ideal (long term source) initial contact, would be engineered so that the first conversation was struck up, by the target themselves. With the right research this can be done easily.
What might make the target individual strike up a conversation with you? An old school tie, a book you know they like, a company brochure from their old company, them overhearing a ‘telephone’ conversation you have been having? There are many ways to ‘trigger’ a conversation, it all boils down to research and the environment.
“Social Engineering is highly valuable and very effective in espionage too, if used right”
A prime example of Social Engineering at its best was the case of Diligence LLC & KPMG Bermuda:
Guy Enright was a British-born Accountant working for KPMG in Bermuda.
In early 2005, Guy Enright was contacted by a gentleman called Nick Hamilton. Nick was charming and very British; he told Guy Enright that he needed to talk to him on a matter of great urgency and importance. Two meetings took place and at some point very early on Guy Enright was lead to believe that Nick Hamilton was an Agent of the British Secret Service.
Guy Enright was very soon passing on documents to Nick Hamilton, documents that Enright thought were being used in support of British intelligence interests.
But, Nick Hamilton was not working for British Intelligence and he was not an agent. Hamilton was in fact none other than Nick Day, CEO of British based Diligence LLC, a private intelligence firm. The documents were not destined for HM Government or intelligence services, but for the clients of Diligence LLC, Barbour Griffith & Rogers a Washington lobbying firm who were representing a Russian conglomerate and the IPOC International Growth Fund Limited, who were being audited by KPMG in Bermuda, the very office where Enright worked.
The project that was given the name “Project Yacca” by Diligence LLC was well-planned and well-executed according to documents filed during later Court proceedings.
According to a leaked memo that formed part of the Court case, Diligence LLC carried out its research well, identifying two possible employees - a "male in his mid-20s who was somewhat bored...had a propensity to party hard, needed cash, enjoyed risk, liked sports, liked women, was disrespectful of his managers, fiddled his expenses, but was patriotic." The memo described the second personality type as "a young female who was insecure, overweight, bitchy, dishonest. Someone who spent money on her looks, clothes, gadgets. Had no boyfriend, and only superficial friends. Had a strong relationship with her mother."
Diligence LLC settled on Enright, the British-born accountant, while not a “perfect fit”, he suited the operation and there was probably timescale and budgetary restraints at play, Diligence LLC had to get on and make contact.
After a short telephone conversation, the two agreed to meet for lunch near the offices of KPMG.
Nick Day posing as Hamilton met with Enright, keeping the conversation vague but that he had an assignment in mind for Enright that involved a matter British national security. ‘Hamilton’ produced an official looking British Government background check questionnaire and said that Enright had to fill it in as part of a Government background check. The questionnaire was complete with a British Government Seal at the top, it looked official and went in to questions about Enright’s parent’s, professional background, family, criminal history and political persuasion.
A few weeks passed and then Day posing as Hamilton met again with Enright, this time the venue was more relaxed and of course less formal; it was a local bar. The two men spoke for hours, Day as Hamilton telling “war” stories about his time with the British Special Forces unit the Special Boat Service (SBS); and, once Enright was relaxed the conversation turned to the KPMG audit of IPOC and what Enright knew of it.
Very soon after Enright started producing internal KPMG audit documents for ‘Hamilton’ via dead letter drops; a way Agents and Sources communicate covertly. The whole time, Diligence LLC had Enright under surveillance, to monitor any out of the ordinary activities or behaviour.
It is not clear whether Guy Enright received direct payment for passing these documents to Day, posing as ‘Hamilton’. What Is clear is that at some point Enright received a Rolex watch that he was led to believe was gift from British Intelligence as a “thank you”. It was of course from Day and Diligence LLC.
Enright was a prime target under the influences of MICE, he was patriotic, a British man overseas, he was bored with life and the “James Bond” part that Diligence’s Nick Day wrote and played for Enright suited his situation – at that time and place.
In November 2005, KPMG Financial Advisory Services sued Diligence LLC in the US Courts for “fraud and unjust enrichment”. On June 20, 2006, the case settled. Diligence paid KPMG $1.7 million as settlement… As seen in the above example, Social Engineering, if well thought out and executed, can be an extremely useful espionage tool. It is cost effective and if done well, undetectable. The Diligence LLC & KPMG case only came to light when a whistle-blower from within Diligence LLC or its client handed over the whole case file to a KPMG office in New Jersey. If it was not for that, KPMG and Enright would have been none the wiser.
Whilst it is not known what the total figure Diligence LLC charged for the information, they were, according to Court documents, billing $25,000 per month, plus $10,000 per month expenses and they did get a $60,000 bonus for the “Bermuda report”.
Protecting yourself against Social Engineering
Social Engineering is 100% about preying on your MICE “influences”. Therefore, no amount of security is going to protect a business or organisation from well-planned and executed Social-Engineering-led espionage attacks. Education within and across your company or organisation is key, as is keeping an eye on your employees and having good internal reporting procedures – can an employee report a suspicious approach or sudden interest from third parties?
Finally, if something seems too good to be true, think again and do your research.
If you require more information on Counter Espionage services or training, see: