Social Engineering

 

What is Social Engineering?

Social engineering refers to the methods attackers use to manipulate people into sharing sensitive information, or taking an action, such as downloading a file or clicking a link. It is also possible for a social engineer to be able to rely solely on information posted online. 

Oversharing Online

Information posted online can seem harmless, until you think about how a social engineer could use the same information. By gathering multiple pieces of information from various sources, a cybercriminal could have enough facts about you to craft a very convincing social engineering scam. Read the story below and put yourself in Jane's position.  Would you open the e-mail too?

  1. A cybercrime group decides they want to hack you or your computer.
  2. The cybercrime group does research on the employer to determine who works there and who has public social media accounts.
  3. The cybercriminals identify Jane Doe on social media as a high level employee of the company.
  4. The cybercriminals also notice that Jane Doe likes to post about running on her social media profile.
  5. One day, Jane posts about a tough 10k race she ran that morning.
  6. The following Monday, the cybercriminals send Jane an e-mail.  the subject line reads "Pictures from this weekend's race".  However, the attached documents are actually a virus.
  7. Jane opens the attachments because the e-mail seemed legitimate and unlikely to be fake.

Be careful about how much information you post and think about how the various pieces might be combined for use by a cybercriminal, such as phishing e-mails or answers to account security questions. 

Persuasion Scams

The following three common types of persuasion methods highlight different ways social engineers target victims through the Internet. 

Tech Support Call Scams

In Tech Support Scams the victim typically will receive a fake pop-up ad when they are browsing the web.   The ad instructs the person to call the scammer who claims to work for a well-known software or technology company and attempts to convince the victim that their computer is at risk of attack, attacking another computer, or is infected with malware, and that only the scammer can remediate the problem. In convincing the victim, the scammer often persuades the victim to provide remote access to their computer. The scammer can then install malware or access sensitive information. In some variations the scammer persuades the victim to pay for unnecessary or fictitious antivirus software or software updates. 

Pop Up Web Warning 2016
              (Pop Up Message Example)

Romance Scams

In Romance Scams the malicious actors create fake profiles on dating websites and establish relationships with other site members. Once a sense of trust is established, the scammer fabricates an emergency and asks the victim for financial assistance. The scammer generally claims they will repay the victim as soon as the crisis is over, however, if the victim sends money, the scammer will prolong the scam, sometimes stealing thousands of dollars from the victim. 

Traveler Scams

In this scenario, also known as the “Grandparent Scam,” malicious actors use information posted on social media websites by a traveling family member to trick other family members into sending money overseas. Often the scam targets the elderly, who are less likely to realize the information was originally posted online. The scammer will monitor social media websites for people traveling overseas, and then contact the family members, through the Internet or via phone, with a crisis and requesting that money be sent immediately. The scammers rely on all the information users post online about themselves and their trips, in order to convince the family member that they know the traveler and are privy to personal details, and thus should be trusted.

 

Easy Tips to Protect Yourself from Social Engineering

·         Use discretion when posting personal information on social media. This information is a treasure-trove to scammers who will use it to create enticing phishing e-mails.

·         Before posting any information, consider: What does this information say about me? How can this information be used against me? Is this information, if combined with other information, harmful?

·         Remind friends and family members to exercise the same caution. Request that they remove revealing information about you.

·         Verify the identity of anyone who contacts you through different means – do not use the information they provide you.

·         Do not send money to people you do not know and trust.

 

For More Information

·         Internet Crime Complaint Center (IC3): https://www.ic3.gov/default.aspx

·         Federal Bureau of Investigation’s Common Fraud Schemes: https://www.fbi.gov/scams-and-safety/common-fraud-schemes

·         OnGuard Online: https://www.onguardonline.gov/

Back to Top