Know Your Online Enemy: Why I Use Social Engineering in my Presentations
I love interacting with and presenting to tweens, teens, and young adults, and I have done so for the past 20 years, more specifically focused on the areas of both online and offline safety. One of the key elements that makes my presentations so different from others is at times, I present from the “criminal” or “threat” perspective in an age-appropriate manner. If you understand how and why the online or offline threat will target their prey, and apply counter-tactics to their crime cycle, then you will likely not be targeted. Peer-reviewed research has shown that “experiential” learning/training, rather than rote or didactic learning/training, has a stronger impact on participants at an emotional, psychological, and even physical level that can expedite positive behavioral change.
As a parent, online safety advocate, serving law enforcement officer (26 years so far), and a student of martial arts and combatives, I have made the study of strategy and tactics, specific to understanding a threat, a professional life-long endeavor. An ancient Asian warrior by the name of Sun Tzu stated, “If you know the enemy and know yourself you need not fear the results.” Many who use the internet and social media, although they may know themselves, it may not necessarily know the enemy and their often used tactic of “social engineering,” also known as “human hacking,” specific to the online grooming process. Online trust and rapport is key when it comes to stealing information, criminalization, or even the sexual predation of an identified target. The weakest link when it comes to online security and safety is always going to be the human link, no matter what one’s privacy settings, and those wishing to prey upon others will exploit this reality to its fullest.
A part of what I do before I present our internet and social media safety program at a junior or senior secondary school, is to see how many students will invite me in believing that I, too, am a student of their age who has similar online and offline interests. By utilizing nothing more than a believable “pretext,” once a request for friending has been sent, more often than not students will accept the request and thus friend or follow me. Once friended, I then have access to more information, no matter what their privacy settings, which could then be exploited.
When I first started presenting our internet and social media safety programs, we did not engage in the above noted process, but rather, we tried to explain it to our audiences. Teens being teens, they would just blow off this information believing that such a thing would and could never happen to them given that they were very internet savvy. It was not until some students approached me with a challenge: they bet me that I could not convince them that I was someone else online prior to presenting at their school. That student challenge germinated the idea.
Seeing an opportunity to affect a positive change in beliefs and online behavior specific to this issue, I began my work to create a convincing “pretext,” which, in the end, had all of these students inviting me in as a friend believing that I was in fact a teen. When I then presented at their school, the word quickly spread about what I had done, which created a light bulb moment for all the students in the presentation… “If it could happen to my fellow classmates, people who I know, then it could happen to me too.” The entire student audience was now glued to my every word. For the students who invited me in, it was a good example of safe, experiential learning at its best. For all the other students listening, it allowed me to now connect with them at an emotional, psychological, and physical level. It was now “real” to the entire student audience given that their classmates had been socially engineered.
The goal here is not to embarrass students in front of their peers. In fact, when we present, we never publicly “out” or “shame” those students who invite us in as a friend believing that we are a teen. We do, however, provide examples of what we did and how we did it using other students in the province who have given us permission to do so, but even then, we still protect their identities. We then provide real-world examples of how students across Canada have been targeted and victimized using this social engineering process. As an example, just recently B.C. School District 42, in cooperation with the RCMP, publicly released this warning to parents: http://www.sd42.ca/rcmp-alert
I have had some who believe that utilizing this teaching technique with students is wrong, and they believe it has no place in online safety learning. I have, however, had many, many more people, including principals, counselors, parents, child psychologists, law enforcement officers, and more importantly the students themselves share with me how positively impactful this teaching strategy is to changing less than desirable online behaviour. My use of this teaching strategy, in regards to helping students to truly understand the threat of what social engineering is and how the online predator will use it to their advantage, is what drives what I do and how I do it. “If you know the enemy and know yourself you need not fear the results.”
Once again, context is everything.
Digital Food For Thought
AKA “The White Hatter” #thewhitehatter