Like many people, I have been glued to my computer, phone, and tablet recently watching and waiting for the arrival of a new bundle of joy. April the Giraffe is an Internet celebrity. The live streaming of the birth of her calf Tajiri in 2017 attracted 1.2 million viewers for the event! Her “love story” with Oliver and her adventures at the rescue center and park in upstate New York have kept people coming back for more on her YouTube channel and her web page. Her fans have nicknames such as “Loft Lurkers,” a phrase that references the location of the web cam which follows her daily routines. There is merchandise for purchase and inside jokes. You can sign up for text alerts to learn the moment April goes into active labor. A whole community and culture has built up around this family of giraffes.
April’s YouTube channel offers not only the live video feed, but also a live chat where her fans can comment and provide their thoughts and insights on the birth. There are moderators who monitor and respond to giraffe and park questions (How long is a giraffe pregnant? What will be the name of the new baby?, etc.). As I watched the feed recently and occasionally glanced at the live chat, I became alarmed about what I was seeing.
Many feed viewers sign in to the chat and introduce themselves, asking for updates on April. It helps to build and support the feeling of “family.” They share information about their lack of sleep due to watching April or the weather. However, there was also something far more sinister happening in the chat. In real time, I was watching social engineering occurring.
Under the guise of camaraderie and shared interest/experience, scammers were pumping people for personal information. In just a few minutes of watching, I saw people eagerly offer up their life details, such as name, where they lived, their hometown, their phone numbers, their vacation plans, the names and birthdays of their family members, their pets’ names, their occupation or company for whom they work. This was despite repeated warnings from moderators to not share personal information in the chat.
What would make perfectly rational adults freely give up treasure troves of information to people they barely know? Consider:
- Humans crave community, a feeling of belonging. When one is in a community, there is a relaxing of defenses due to the belief of a shared common trait or purpose. Scammers know this and often hang out in chats during these moments of excitement in a shared digital experience.
- These loft lurkers know what they are doing. They take part in disarming behaviors, such as telling jokes or sharing “information,” to make themselves seem harmless and/or helpful. Those who hang around in the chat for a period of time may convince others that they are “part of the family” and thus not a threat.
- There are multiple distractions which work in the favor of the phisher. The chat stream often moves quickly, so the victim may not realize just how much information is being shared. There is also the distraction of watching the live video stream and losing track of what has been told to whom in the accompanying chat.
- People’s lack of experience with technology can lead to a false sense of security. Some chatters tend to forget that what they are typing is not an individual conversation with a single participant, but is actually open to everyone to see – including those (like me) who may not ever actively engage in the chat. They also do not realize that the chat is recorded and that people can go back and review what has been typed.
- Finally, many people lack knowledge of basic personal cybersecurity principles. They may not realize that the cybersecurity training they receive on the job should also apply after hours. They fail to realize that many of the safeguards their company puts in place to protect its data, such as firewalls, SIEMs, or multifactor authentication, do not exist in their personal digital space.
There is nothing new in these scams by Loft Lurkers – they are “confidence games” run in a digital world. I hope that none of the participants in April’s baby watch become victims of identity theft due to what they have shared in the live chat, but I know most likely someone will become a victim of one of these scammers and loft lurkers. Contact us about what we can do to help ensure that your employees are victors in cybersecurity, not victims.
Global Learning Systems offers courses in Individual Responsibility, Social Engineering in Social Networks, Safe Social Networking, Security at Home, Securing Your Work at Home, Security for Kids, Securing Information During Travel, and Security on the Go that companies can include in their Human Firewall 2.0 program. We know that your employees’ cybersecurity awareness should not stop when they leave the office at the end of a workday. The principles they learn as part of their training at work should be extended to protecting personal data so that good habits are practiced 24×7 to reinforce positive behaviors.