What is social engineering?
In computing, social engineering refers to the methods cybercriminals use to get victims to take some sort of questionable action, often involving a breach of security, the sending of money, or giving up private information. These actions tend to go against our better judgment and defy common sense. However, by manipulating our emotions—both good and bad—like anger, fear, and love, scammers can get us to stop thinking rationally and start acting on impulse without regard to what we’re actually doing.
To put it simply, if cybercriminals use malware and viruses to hack our computers, then social engineering is how they hack our minds.
Social engineering is always part of a larger con, taking advantage of the fact that the perpetrators and their victims never have to meet face to face. The main objective usually involves getting the victims to:
- Give up usernames and passwords.
- Install malware on their device.
- Send money via electronic fund transfer, money order, or gift cards.
- Authorize a malicious software plugin, extension, or third-party app.
- Act as a money mule for the purpose of laundering and transferring illicit funds.
“If cybercriminals use malware and computer viruses to hack our computers, then social engineering is how they hack our minds.”
How does social engineering work?
Social engineering is only one part of a larger con. Take, for example, the Nigerian Prince or 419 scam (so named for the section of the Nigerian Criminal Code dealing with fraud). With this scam, a cybercriminal emails you claiming to be a deposed Nigerian prince with a vast sum of money locked away in a foreign bank account. In order to unlock the funds, the prince needs you to provide an initial amount for bribing the bank manager. In exchange, the prince will share some of his fortune with you. But this Prince Charming turns out to be a frog. There is no money. The con is to get you to wire funds to the scammer. Once you realize you’ve been scammed, the money is gone. So, where does social engineering come in to play?
By claiming to be a Nigerian prince, the scammer gives his con a degree of authority and victims are more inclined to respond.
The theory that people will respond positively to someone they perceive as an authority is just one of psychology professor and noted expert on influence Dr. Robert Cialdini’s Principles of Persuasion. Dr. Cialdini wrote the book on how to get people to say “yes” after years of research working as a used car salesman, telemarketer, and door to door salesman.
Dr. Cialdini breaks the techniques of social engineering down in to six principles.
Reciprocity. If someone gives you a gift, however small it may be, you’re more likely to respond in kind with a gift of your own. With the Nigerian scam, the scammer has all but given you millions of dollars, the least you can do is help pay the nominal processing fee.
Scarcity. In 2019 Americans caught a glimpse of the end times when Popeyes sold out of their popular chicken sandwiches. People fought over the sandwiches. One man threatened Popeyes employees with a gun. Another man sued the fast food chain for deceptive business practices. People killed for the sandwiches. Literally. That, in a nutshell, is scarcity. If consumers can’t have something, they just want more of it.
Authority. Pretending to be royalty is just one way criminals can employ authority to manipulate their victims. Malwarebytes Labs has reported on a number of different scam calls in which callers purport to be from some United States government agency. The victims, callers allege, owe money on back taxes or fines and if they don’t settle up with the government immediately, they’re going to jail.
Consistency. Generally speaking, no one wants to come off as indecisive. When we say we’re going to do something we try to follow through. And if you can get someone to agree to something small first, then they’ll feel pressured to agree to something bigger. Take, for example, money mule scams. Working on behalf of the scammers, money mules accept illicit funds from one account then transfer it to the scammer. Even when the legality of the operations comes into question, victims tend to follow through, not wanting to go back on their word.
Liking. The Ellen DeGeneres scam is a great example of liking. In social media posts supposedly from Ellen herself, scammers cut together videos of the popular daytime talk show speaking about her favorite charities along with a request to share the posts. Because the victims like Ellen, they’re more inclined to share. “Ellen” then reaches out directly to those who shared the post and asks them to download one of her films for a chance at winning a million dollars. Of course, there is no million dollars and all victims have to show for their effort is a subscription to an illegal streaming site and a pirated copy of Mr. Wrong.
Consensus. You’ve probably heard the expression: “If everyone else jumped off a bridge, would you?” If you have, then you’re familiar with the concept of consensus. People are more inclined to respond affirmatively if they think everyone else is doing it. As it applies to online scams, Malwarebytes Labs has reported on fake charitable organizations emerging in the aftermath of a natural disaster. Criminals use the groundswell of support that typically follows to pressure people in to donating money.
Social engineering news
- Malsmoke operators abandon exploit kits in favor of social engineering scheme
- Cybercriminals impersonate World Health Organization to distribute fake coronavirus e-book
- Battling online coronavirus scams with facts
- Spear phishing 101: what you need to know
- New social engineering toolkit draws inspiration from previous web campaigns
Types of social engineering attacks
Here are six common online scams that employ some form of social engineering.
Email phishing is the most common type of attack that features social engineering. The target receives a spam email spoofed to look like it was sent by a company or organization the target trusts. These emails are remarkably easy to create nowadays using off the shelf phishing kits that contain pre-designed email templates that look like they’re being sent by Apple or Amazon or some other well-known company. The email contains a link to a phishing site designed to collect usernames and passwords.
Trojan refers to any kind of malware pretending to be something it isn’t. Just like the Trojan horse of Greek fame, computer Trojans contain a destructive payload. Email attachments containing hidden malware are a form of Trojan. The trick, as it applies to social engineering, is when the email appears to originate from a trusted sender such as a coworker, friend, family, or company you do business with.
Spear fishing is a type of phishing attack that targets one person or a small group of people. Unlike a typical phish, which is purposely generic and sent out en masse to as many emails as possible, a spear phishing attack requires a little due diligence on the part of the scammer. Scammers will look up the target’s social media accounts and use information gleaned from photos, relationship status, birthdates, places lived, job history, and any other public info they can use to give credence to the scam.
SMS text message phishing (smishing) is a type of phishing that occurs over your tablet, smartphone, or smartwatch. It’s true, phishing happens outside of email. Victims typically receive a text message from an unknown sender informing them of some special offer or contest they’ve won. The text includes a link to a spoofed site designed to harvest login credentials.
Scam calls are the telephone equivalent of spam. Also known as vishing (voice phishing) or robocalls, scam calls are made using a computerized telephone dialing system. When the call is answered, the autodialer connects the call to a live person or plays a prerecorded message. Both are considered robocalls. While robocalls can be legal under certain limited circumstances, most are illegal and involve some ploy to steal the victim’s money, user credentials, or identity.
Tech support scams are an advanced form of social engineering designed to make you think your computer is infected with malware, when it actually isn’t, then extort money from you to “fix” it. The scam starts when victims land on a malicious website run by the scammers. These sites include malvertising designed to lock your browser and prevent you from closing out or navigating to another site. The malvertising generally includes some warning that your computer is infected with malware or your software is pirated along with a phony tech support number you can call to get help—but it will cost you. As it happens, Malwarebytes Browser Guard is the first browser extension smart enough to block tech support scams and it’s completely free to download for Firefox and Chrome.
History of social engineering
Social engineering is not new. Con artists and grifters have used social engineering since time immemorial to get victims to act against their better judgment and part with their money or divulge private information. Thanks to the Internet, however, criminals have access to a whole new world of potential targets.
The advance-fee scam is a great example of how an old social engineering ploy can evolve with the times and use technological advancements to horrible effect.
The scam has its origins in the late 18th century Letters from Jerusalem con. In the aftermath of the French Revolution, France’s prisons were filled with industrious scammers all claiming to be the valet of a French nobleman. While attempting to escape persecution (or execution) at the hands of angry revolutionaries, the valet hid his master’s treasure, only to be imprisoned before he could retrieve it. For a modest sum, the prisoner offers to provide a map revealing the location of the treasure. According to a contemporary account from one of the scammers, 20 percent of recipients responded to the letters.
The success of the Jerusalem scam gave rise to a 19th century variant known as the Spanish Prisoner scam, named after the supposed European nobleman at the center of the scam. The nobleman, as the scam goes, was wrongly imprisoned in a Spanish jail and needs the letter recipient’s help. In exchange for providing the funds necessary to secure the nobleman’s release, allowing him to return to his young daughter, the victim is promised a significant return on their investment, namely buried treasure or funds hidden away in a foreign bank account.
The Spanish Prisoner scam improves upon the Jerusalem scam in two major ways. Where the Jerusalem scam targeted victims seemingly at random, Spanish Prisoner scammers claimed to be a distant relative of the recipient, even going so far as to call out the victim’s deceased relatives by name in a kind of proto-spear phishing. Spanish Prisoner scammers also shifted the narrative focus of the letters away from the prisoner to the nobleman’s impoverished daughter. With these changes the story became less about personal enrichment or outright greed and more about compassion, appealing to a different and potentially broader group of victims.
The advance-fee scam continued to evolve through the late 20th century. With the rise of the Internet, advance fee scammers were no longer limited by the cost of a stamp or the number of letters they could write in a day. The Internet allows them to copy and paste a prewritten message and spam thousands of potential targets with a few simple clicks. In the past, scammers might’ve selected victims carefully based on factors like wealth and location. Victim’s today self-select. By simply responding to an email that was sent to thousands of other targets, victims reveal themselves to be susceptible to the fraudster’s proposal—however implausible it may be.
The modern version of Letters from Jerusalem, commonly referred to as the Nigerian Prince or 419 scam once again involves a mysterious stranger, vast sums of money, and an offer too good to be true.
In the first phase of the scam, the victim receives an email from someone claiming to be a foreign prince, government official, deposed leader, lawyer, banker, etc. with knowledge of a vast sum of money locked away in a foreign bank that the sender cannot access on their own. Accordingly, the sender needs the victim to act as a money mule; that is, receive a wire transfer of the money then wire the money back to the sender while keeping a large percentage of the total as a service fee. The sender may send follow up emails with official looking documents to help substantiate their claims. In phase two, the scammer introduces an obstacle. In order to unlock the money, the scammers need to bribe bank or government officials, pay fees, or pay taxes owed on the money, hence the name “advance-fee scam.” Of course, there is no money and the victim’s advance fee is lost via irreversible and untraceable wire transfer.
To be fair, not all advance-fee scams originate in Nigeria, though many do. Countries like Nigeria are just foreign enough to mystify westerners. While one might second guess an email claiming to be from a member of the British royal family, maybe Nigeria has a ton of itinerant princes wandering around looking for random American pensioners to help them unlock their trust funds. Who knows? Certainly not the victim. It’s precisely this naivete that scammers depend on to be successful.
As it stands, advance-fee scams remain a time-tested, profitable, and low-tech option for enterprising cybercriminals. According to the Federal Bureau of Investigation (FBI) Internet Crimes Complaint Center report, 18,463 Americans fell victim to advance-fee and romance scams in 2018 with total losses surpassing $362 million.
“Social engineering scammers are looking for the right target and the right emotional trigger.”
Examples of social engineering
Here are some real-world examples of social engineering we’ve reported on over at Malwarebytes Labs. In each example, social engineering scammers are looking for the right target and the right emotional trigger. Sometimes the combination of target and trigger can be hyper-specific (as with a spear phishing attack). Other times, scammers may go after a much broader group.
The sextortion scam. In this first example, scammers are casting a wide net. The target? Anyone who watches porn. The victim is notified via email that their web cam has supposedly been hacked and used to record them watching adult videos. The scammer also claims they’ve hacked the recipient’s email account, using an old password as proof. If the victim doesn’t pay up via Bitcoin, the scammer threatens to release the video to all the victim’s contacts. Generally speaking, the scammer doesn’t have video of you and your old password is from a previously disclosed data breach.
The grandparent scam. This scam has been going around for years and targets anyone with living family, usually the elderly. Parents or grandparents receive a call or text message from the scammer, posing as a lawyer or law enforcement. The scammer claims the victim’s relative has been arrested or injured and needs money to cover bail, legal fees, or hospital bills. In the case of the SMS text message version of the scam, merely replying ends up costing the victim money.
The Social Security Number scam. In this grift, things start to narrow as it only applies to US citizens. The victim receives a prerecorded robocall purporting to be from the Social Security Administration. The message asserts the victim’s SSN has been “suspended” for “suspicious trails of information.” Never mind the fact that your SSN can’t be suspended, if the victim falls for the ploy and returns the call, they’ll be asked to pay a fine to straighten everything out.
The John Wick 3 scam. Here’s a good example of spear phishing. In this case the scammers are after a very specific target: a John Wick fan who enjoys comic books, but prefers to read them on Amazon Kindle. While searching for John Wick comics, the target is offered a free download for the third John Wick film—at the time of the scam, the movie hadn’t been released in theaters. Following the link embedded in the movie description takes the victim down a rabbit hole of illegal streaming sites for pirated movies.
Coronavirus scams. Scammers took note of the dearth of virus info, especially in the early days and months of the epidemic. As health officials struggled to get a grasp on the virus and how it spread from person to person, scammers filled in the blanks with bogus websites and spam emails. Malwarebytes Labs reported on spam emails masquerading as virus info from the World Health Organization. The emails actually contained malware-filled attachments. In another example, Labs reported on a COVID-19 tracking site that displayed infections around the world in real-time. Behind the scenes the site would load an info-stealer Trojan onto victims’ computers.
How to protect against social engineering
- Turn your spam filter on. A lot of social engineering happens via email so the easiest way to protect against it is to block spam from making its way to your inbox. Legitimate emails will sometimes end up in your spam folder, but you can prevent this from happening in the future by flagging these emails as “not spam,” and adding legitimate senders to your contacts list.
- Learn how to spot phishing emails. Talented scammers spend a lot of time spoofing emails to look like the real thing, but with a little due diligence you can easily spot the spoofs.
- The sender’s address doesn’t match the domain for the company they claim to represent. In other words, emails from PayPal always come from firstname.lastname@example.org and emails from Microsoft always come from email@example.com.
- The sender doesn’t seem to actually know who you are. Legitimate emails from companies and people you know will be addressed to you by name. Phishing emails often use generic salutations like “customer” or “friend.”
- Embedded links have unusual URLs. Vet the URL before clicking by hovering over it with your cursor. If the link looks suspicious, navigate to the website directly via your browser. Same for any call-to-action buttons. Hover over them with your mouse before clicking. If you’re on a mobile device, navigate to the site directly or via the dedicated app.
- The email has typos, bad grammar, and unusual syntax. Does it look like the email was translated with Google Translate? There’s a good chance it was.
- The email is too good to be true. Advance-fee scams work because they offer a huge reward in exchange for very little work. But if you take some time to actually think about the email, the offer is fake or outright illegal.
- Turn macros off. Turning off macros will prevent malware-laden email attachments from infecting your computer. And if someone emails you an attachment and the document asks you to “enable macros,” click “no,” especially if you don’t know the sender. If you suspect it may be a legitimate attachment, double check with the sender, and confirm they sent you the file.
- Don’t respond. Even as a joke, don’t do it. By responding to scammers, you demonstrate that your email is valid and they will just send you more. The same goes for SMS text message and call scams. Just hang up and block the caller. If it’s a text message you can copy and forward it to the number 7726 (SPAM), doing so improves your phone carrier’s ability to filter out spam messages.
- Use multi-factor authentication. With two-factor or multi-factor authentication, even if your username and password are compromised via phishing, cybercriminals won’t be able to get around the additional factors of authentication tied to your account.
- Install a good cybersecurity program. Mistakes happen. If you click a bad link or malicious attachment, your cybersecurity program should recognize the threat and shut it down before it can do any damage to your device. Malwarebytes, for example, blocks malicious websites, malvertising, malware, viruses, and ransomware with products for home and business. And for threat protection on your iPhone there’s Malwarebytes for iOS, which blocks pesky scam calls and text messages.