Beware of Social Engineering, a Scam Artist’s Favorite Tool

SOCIAL ENGINEERING_header
Social engineering is sneaky, as it takes advantage of our natural tendency to be helpful. Social engineers can also play upon human emotions, such as fear and sympathy. Here are some tricks social engineers employ to trick you out of sensitive data, and how you can protect yourself.

You are in the office and an electrician comes to fix a problem. Or your phone rings and it’s your ISP informing you of a problem with your account.

It’s human nature to cooperate, right? You let the electrician in and let him do what he needs to do. You answer questions the customer service agent asks to verify your identity. Unfortunately, instead of being helpful, you’re now a victim of social engineering. The electrician has installed a rogue router or stealth cameras in your office. The fake customer service representative has learned your personal details, your account credentials, or even your credit card information.

Social engineering refers to techniques people use to manipulate others into performing certain tasks or revealing certain types of information. Cybercriminals and thieves take advantage of the natural human desire to be helpful and to believe what people say. These scammers don’t need to bother with sophisticated hacking techniques or malware exploiting a software vulnerability when they can just email a malicious attachment and ask the recipient to open the file.

Social engineering is not anything new, as there have always been scam artists working elaborate cons and hoaxes. What is new, is the amount of information these scammers can collect about their targeted victims before even starting the attack. Thanks to social networking sites, they can find out all kinds of things, such as where their targeted victims work, the names of their colleagues, what school the target attended, and even where the person last went on vacation. They can find the company’s organization chart or find out what kind of software the company is using. They can use all this information to convince the victim they are telling the truth.

Human Nature to Help
DefCon, the biggest hacker convention, conducts a social engineering “Capture the Flag” competition each year. Participants are given a few weeks to research the target company. In previous years, targets have included Apple, Johnson & Johnson, and others. On the day of the competition, the contestant steps into a booth and calls a person at the company and attempts to trick the person into revealing “flags,” such as what version of the browser the company is using or what software is installed on the computer. Many times the contestants pretend to be colleagues at a different office trying to gather information for the CEO and really needing the help because they are completely overwhelmed. For the most part, people want to help and offer the information freely.

Fear is Lucrative
The scammers are good at selling fear. A popular scam has the caller calling from Windows Help Desk or some other Microsoft-sounding department because there was a problem on the user’s computer. The caller asks the user to type in some standard commands on the computer and explains that the resulting output is actually evidence of malware and other serious issues. At this point, the user is convinced something is wrong and will hand over their credit card information for the “representative” to fix the problem.

Verify, Verify, Verify
If someone calls claiming to be from some official capacity, ask for proof. Ask for an extension number so that you can call back. If the person is claiming to be an employee from a different office or from a supplier, ask for some kind of verification to confirm that person’s identity. If it’s law enforcement, ask for a badge number. If these are legitimate callers, they will provide that information without hesitation.

Don’t give in to the “you have to act in the next 20 minute” pressure. There is always time to research and to think things through.

Always be skeptical of situations where the person is proactively contacting you about a problem. No legitimate company will ever ask you for your password, and the government will always send a letter for official communications. And if you suddenly get a call from a friend or a relative claiming they are stranded in a foreign country and need some money wired to them, don’t just believe it because the person knows the name of your siblings or the name of your dog.

Be aware of what you share online, and take advantage of the privacy control settings. There are certain things you should never provide online, such as your password, answers to security questions (like your mother’s maiden name), and your Social Security number.

You can still be helpful, but take the time to question and evaluate everything. A little dose of skepticism never hurts, and it can make a huge difference when it comes to cybercrime.

4 thoughts on “Beware of Social Engineering, a Scam Artist’s Favorite Tool

  1. I have recently been contacted on 3 or 4 occaisions by an sub con asian perporting to be from Microsoft stating that my computor was registering malware problems which were allegedly infecting other computors when I used email and Google.
    They asked me to gon computor so they could demonstrate the existence of problem malware.
    I politely declined ( as i was busy) but on 3rd occasion I chalenged them as to their identity and stated that I would not deal with anyone from an Indian office and would they arrange to send a microsoft IT Engineer to my home address with appropriate verifiable ID and when ID confirmed he would be welcome to show me the problem.

    I am still awaiting response from the most recent telephone call from an Asian Indian lady and any further phone calls will be rebuffed in the same manner…..
    I do not think Microsoft would ring me at home or send an engineer to my home address do you ?????

    Michael B.Stout

  2. I got a call from “Microsoft Support” telling me they had detected a problem on my computer. I replied to them “Sorry, we use Apple, you have the wrong number.” Next day got a call from the same voice telling me that they were “Apple Support” so I said, sorry we only use Linux. Still waiting to hear from “Linux Support”. Sorry but computer manufacturers, internet service providers, web hosting companies, ect do not monitor your system, and they certainly don’t call you unless you call them. Have you ever TRIED to call Microsoft Support? You’ll get faster service driving 20 miles to visit the Geek Squad. And now suddenly I’m expected to believe that Microsoft will contact me before I even know about the problem? Get real.

  3. Pingback: ZeroAccess Botnet: Is It Preparing Its Next Attack? | ZoneAlarm Security Blog

  4. I work from home, and have received dozens of these calls over the last few years. They identify themselves as:

    * Microsoft Internet Monitoring (and imaginative variations thereof);
    * Microsoft Internet Technical Support (and imaginative variations thereof);
    * Telstra Internet Support (When targeting Australia-Telstra is the former government owned major telecommunications carrier, like ATT or BT);
    * Telstra Network Monitoring;
    * Telstra Big Pond (a major ISP) Internet Monitoring;
    * “Dr PC”; “PC Wizard”, and variations thereof (supposedly subcontracting to Microsoft, etc).

    The approach is always the same, as described: “…Malware, viruses, etc have been identified through ISP’s, and they want to check your system…”. “Go into… press xyz…” Do you see red abc error reports…”

    1. I will state:

    a) They are constantly improving – when asked for identifying addresses, Websites, etc, over time, they have actually implemented these things, including using real MS and Telstra addresses – even creating a “Dr PC Wizard” or similar site with the ability to log in, create an “account”, download “Error scanning software”(!) etc. BE CAREFUL!

    b) They are really audacious – after being told to f___ off (at length, in detail, and with quite a bit of “character descriptions”), they will sometimes call back with determined protestations that they are “Trying to help you!”, and that “You don’t understand the technicalities…”, etc.

    c) I have reported them several times to the Fraud Squad and ACMA (Australian Communications and Media Authority, Consumer Protection etc, but until recently, when it has become a real blight, there was little they could do, as it originates overseas, and they use VoIP, which is difficult to track;

    2. My favourite remedies, because they regularly change young, inexperienced callers in a “Boiler room” setup (be warned – these methods are not for the squeamish or politically correct!) are a combination of:

    a) Playing dumb for as long as possible, while not doing anything, or only following instructions to the degree necessary to see where they are leading, if you are not familiar with the innards of Windows. [DO NOT execute any actions beyond viewing a report...].

    Play dumb. Play old. Play unfamiliar with Windows. “Repeat” actions, or ask to clarify, repeat instructions; “No, I don’t see that screen” – “My children usually do this…”; “Can’t see that button…”, and so on. Put them on hands free, and keep working – waste their time and bandwidth, their dearest commodities!

    b) When you get bored, ask the caller (very interestedly and politely) whether they are Christian, Muslim, Hindi, Sikh, Buddhist, Tamil, Philippino (as a very broad range). Generally, they are Hindi, or occasionally, Muslim, whereupon I start telling them (after finally dropping pretense of ignorance) things like:

    * “So this is what you are doing-conning the naive and elderly”?
    * “Scamming money from trusting people”?
    * Lying and stealing from good people who trust you?”
    * “Is this what your mother taught you?”
    * “Is this how you were raised by your parents?”
    * “You are prostituting yourself to lie and steal”?
    * “YOU ARE GOING TO DIE AND COME BACK AS A COCKROACH!”, you PoS, sacrilegious deviant, lying scum!”

    Add extensive character detail, filthy personal hygiene and sexual habit descriptions, etc).

    Let them know that the rich, dumb, gullible Westerners they are preying on are not as dumb and gullible as they may think (nor as rich…).

    c) If admitted to being a Muslim (in India!?!), this opens a whole new arena of denigrating, terror related political descriptions, which I leave to your imagination…

    d) The “Is this how your mother/parents raised you makes a real emotional impact – it shocks, and brings home their actions at a truly basic level;

    e) Tell them that you use VoIP, and have identified their IP address, and are reporting it to the police.

    I have had shocked, silent responses before I slam the phone down (after a good venting!), although I know that by now, they have picked up on these responses and train new callers for them (they are no longer as easily responsive-they learn fast).

    In any case – if you have the time and inclination – fight back!

    As always – beware of giving your name, addresses, and personal locations, even if they address you by name; phone directories are available worldwide; they play on that familiarity.

    Have good time, and fight this scourge!

Leave a Reply

Your email address will not be published. Required fields are marked *


+ eight = 17

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>