Beware of Social Engineering, a Scam Artist’s Favorite Tool

Social engineering is sneaky, as it takes advantage of our natural tendency to be helpful. Social engineers can also play upon human emotions, such as fear and sympathy. Here are some tricks social engineers employ to trick you out of sensitive data, and how you can protect yourself.

You are in the office and an electrician comes to fix a problem. Or your phone rings and it’s your ISP informing you of a problem with your account.

It’s human nature to cooperate, right? You let the electrician in and let him do what he needs to do. You answer questions the customer service agent asks to verify your identity. Unfortunately, instead of being helpful, you’re now a victim of social engineering. The electrician has installed a rogue router or stealth cameras in your office. The fake customer service representative has learned your personal details, your account credentials, or even your credit card information.

Social engineering refers to techniques people use to manipulate others into performing certain tasks or revealing certain types of information. Cybercriminals and thieves take advantage of the natural human desire to be helpful and to believe what people say. These scammers don’t need to bother with sophisticated hacking techniques or malware exploiting a software vulnerability when they can just email a malicious attachment and ask the recipient to open the file.

Social engineering is not anything new, as there have always been scam artists working elaborate cons and hoaxes. What is new, is the amount of information these scammers can collect about their targeted victims before even starting the attack. Thanks to social networking sites, they can find out all kinds of things, such as where their targeted victims work, the names of their colleagues, what school the target attended, and even where the person last went on vacation. They can find the company’s organization chart or find out what kind of software the company is using. They can use all this information to convince the victim they are telling the truth.

Human Nature to Help
DefCon, the biggest hacker convention, conducts a social engineering “Capture the Flag” competition each year. Participants are given a few weeks to research the target company. In previous years, targets have included Apple, Johnson & Johnson, and others. On the day of the competition, the contestant steps into a booth and calls a person at the company and attempts to trick the person into revealing “flags,” such as what version of the browser the company is using or what software is installed on the computer. Many times the contestants pretend to be colleagues at a different office trying to gather information for the CEO and really needing the help because they are completely overwhelmed. For the most part, people want to help and offer the information freely.

Fear is Lucrative
The scammers are good at selling fear. A popular scam has the caller calling from Windows Help Desk or some other Microsoft-sounding department because there was a problem on the user’s computer. The caller asks the user to type in some standard commands on the computer and explains that the resulting output is actually evidence of malware and other serious issues. At this point, the user is convinced something is wrong and will hand over their credit card information for the “representative” to fix the problem.

Verify, Verify, Verify
If someone calls claiming to be from some official capacity, ask for proof. Ask for an extension number so that you can call back. If the person is claiming to be an employee from a different office or from a supplier, ask for some kind of verification to confirm that person’s identity. If it’s law enforcement, ask for a badge number. If these are legitimate callers, they will provide that information without hesitation.

Don’t give in to the “you have to act in the next 20 minute” pressure. There is always time to research and to think things through.

Always be skeptical of situations where the person is proactively contacting you about a problem. No legitimate company will ever ask you for your password, and the government will always send a letter for official communications. And if you suddenly get a call from a friend or a relative claiming they are stranded in a foreign country and need some money wired to them, don’t just believe it because the person knows the name of your siblings or the name of your dog.

Be aware of what you share online, and take advantage of the privacy control settings. There are certain things you should never provide online, such as your password, answers to security questions (like your mother’s maiden name), and your Social Security number.

You can still be helpful, but take the time to question and evaluate everything. A little dose of skepticism never hurts, and it can make a huge difference when it comes to cybercrime.

3 thoughts on “Beware of Social Engineering, a Scam Artist’s Favorite Tool

  1. I have recently been contacted on 3 or 4 occaisions by an sub con asian perporting to be from Microsoft stating that my computor was registering malware problems which were allegedly infecting other computors when I used email and Google.
    They asked me to gon computor so they could demonstrate the existence of problem malware.
    I politely declined ( as i was busy) but on 3rd occasion I chalenged them as to their identity and stated that I would not deal with anyone from an Indian office and would they arrange to send a microsoft IT Engineer to my home address with appropriate verifiable ID and when ID confirmed he would be welcome to show me the problem.

    I am still awaiting response from the most recent telephone call from an Asian Indian lady and any further phone calls will be rebuffed in the same manner…..
    I do not think Microsoft would ring me at home or send an engineer to my home address do you ?????

    Michael B.Stout

  2. I got a call from “Microsoft Support” telling me they had detected a problem on my computer. I replied to them “Sorry, we use Apple, you have the wrong number.” Next day got a call from the same voice telling me that they were “Apple Support” so I said, sorry we only use Linux. Still waiting to hear from “Linux Support”. Sorry but computer manufacturers, internet service providers, web hosting companies, ect do not monitor your system, and they certainly don’t call you unless you call them. Have you ever TRIED to call Microsoft Support? You’ll get faster service driving 20 miles to visit the Geek Squad. And now suddenly I’m expected to believe that Microsoft will contact me before I even know about the problem? Get real.

  3. Pingback: ZeroAccess Botnet: Is It Preparing Its Next Attack? | ZoneAlarm Security Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

5 − two =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>