Understanding Social Engineering Scams

Social engineering is the art of manipulating people so they give up confidential information. The criminals are trying to trick you into giving them passwords or bank information, or access your computer to secretly install malicious software that will give them access to your passwords and bank information as well as giving them control over your computer.

Types of Social Engineering Scams

Phishing. Phishing scams might be the most common types of social engineering attacks used today. Most demonstrate the following characteristics:

  • Seek to obtain personal information, such as names, addresses and social security numbers.
  • Use embedded links that redirect users to suspicious websites in URL’s that appear legitimate.
  • Incorporate threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.

Some phishing emails are more poorly crafted than others to the extent that their messages oftentimes exhibit spelling and grammar errors. These emails are focused on directing victims to a fake website where they can steal user login credentials and other personal information.

Pretexting. Pretexting is another form of social engineering where attackers focus on creating good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These type of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to conform their identity.

Unlike phishing emails, which uses deception and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.

Baiting. This involves promise of an item or service that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.

Quid Pro Quo. This attack promise a benefit for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of a good. A common type involved fraudsters who impersonate IT service technicians and spam call as many direct numbers of a company as they can find. The fraudster will promise a quick fix in exchange for the employee disabling their anti-virus program for installing malware on their computers that assumes the guise of software updates.

This affects individuals as well as companies. The victim is contacted by a phone call from a scammer claiming to be a representative of a high-tech computer firm. The call is warning the victim that their computer has been infected or could be under a threat of being infected by a virus that will severely damage their internal operating system. The alleged “representative” encourages the victim to go online and allow them to trouble shoot the computer and fix the issue. The scammer uses this time to infect the computer with a malware virus that will do damage and force the owner to go to a third-party website to confirm the damage. The goal is to force the computer owner to immediately pay for unnecessary repair work over the phone by using a credit card. Never give anyone remote access to your computer; hire a local repair service whenever possible. Many individuals have fallen for this scam and often report their personal identity has been stolen soon after the phone encounter.

Tailgating. Also known as “piggybacking.” This attack involves someone who lacks the proper authorization, then follows an employee into a restricted area. A common type of this, is a person impersonates a delivery driver and waits outside the building. When the employee gains security’s approval and opens their door, the attacker holds the door, thereby gaining access off of someone who is authorized to enter the company.