Whaling - children in the net of psychological manipulators

Hackers who use human-based techniques besides - and sometimes instead of - information technology and programming techniques are often called social engineers. 

Date 2016-06-28 Author Hungarian Safer Internet Centre
picture
These social engineers are aware of the practical aspects of psychology, group behaviour and communication, and have deep knowledge of human nature, including those mechanisms with the help of which the people can be deceived. They also know how to collect otherwise confidential or intimate information by persuasion, swindling and framing.
 
It's true for almost everybody who lives in the countries of the developed world that they like comfort, are often careless, skin-deep and mostly helpful. It is also true, that they can be easily affected, deceived and confused with simple methods. And finally, it's true that some people are vengeful – though in the short run – in return for injuries they suffered earlier. The rapid spread of new technical devices and mobile applications often goes hand in hand with recklessness and thoughtlessness among young people, especially the members of Z and Alpha generation, due to their age. Social engineers can be entrusted with several tasks, including – among others – industrial espionage, hacking into computer systems, stealing passwords, unauthorised intrusion, phishing, hunting confidential information about specific persons, and mapping their relation network.
 
Phishing is implemented by inviting an unsuspecting user by text message, phone, email, instant message or through an ad banner to fake websites where they enter their access codes (username, password). A special form of phishing is called whaling, the target of which used to be the lower senior and senior executives of a company and their direct colleagues. In recent years, however, whaling has also targeted younger kids who live with an executive (i.e. their parents or carers).
 
The executive – even if most of them are not sufficiently information security aware – is protected by information security regulations and provisions at the workplace. The aim of these is to minimise the number of efficient human and IT-based social engineering attacks. The home environment, however, is much more dangerous.
 
Some executives regularly share family photos on Facebook, names and tag family members, share photos about the achievements of their children, and so on. The whaler can very quickly find out how old the children of the executive are, what school they attend, if the children have their own Facebook profiles, what their hobbies are, what music they listen to, what films they like, what sports they do, their favourite club, who they like in their class, who they dislike, where and with who they go to have fun, and what their favourite place is. Then the social engineer sends a friend request to the child and, when it is confirmed, the conversation can be started. The topic of conversation can be anything; the key is that the new friend should be more sympathetic to the child whose parents – in the eyes of the teenager - are always busy and ‘selfish'. The relationship with the social engineer deepens and the child of the executive incautiously reveals the family secrets. The task of the social engineer is whaling; that is to gain access to the executive's devices which contain confidential data. There can be situations when the child uses the parent's computer and – out of curiosity – uploads a spy program received as an attached file on the company device of the parent. Thus the child may become the phisher of corporate data of the company.
 
The solution is the development of information security awareness of the executive, for example with the help of coaching, the creation of an atmosphere of trust at family level, as well as the categorical refusal of access to company devices for family members.
 
Find out more about the work of the Hungarian Safer Internet Centre, including its awareness raising, helpline, hotline and youth participation services.
 
Csaba Kollár
Lecturer, National University of Public Service, Doctoral School of Military Engineering, Hungary

Related news