Social engineering is an increasingly common form of attack. And in many ways it is the
most dangerous and under-appreciated method of exploiting consumers for their sensitive
information. But in truth, social engineering is usually used as a type of glue to connect
multiple other forms of attack, or as the final step in gathering detailed information. In effect,
it allows more shallow and opportunistic data theft methods to be amplified with deeper and
more tangible sensitive information

Techie Term:

Social engineering is the psychological or emotion manipulation of people, with the end goal
being to exploit them for information

Unlike many other types of hacking, social engineering doesn’t focus primarily on electronic
devices or digital networks, although they can still be utilized as a means to an end. Instead,
social engineering focuses on human interactions. Social engineering relies on
psychological and emotional deception, with attackers attempting to trick their victims into
disclosing their sensitive information under false pretenses.

Techie Term:

Hacking is the general practice of someone gaining access to a computer system or data
repository, with the intent of taking control or gaining sensitive information therein.

Social engineers use a few different channels to exploit their victims. These are outlined
below.
Phishing
This involves sending an email to the victim under false pretenses. Phishing emails (which
are a form of email ‘spam’ or junk email) will usually appear to be coming from a trusted
company that the victim does business with. However, phishing emails are fake. While there
are often subtle signs that can be used to identify a phishing email, it can often be difficult to
discern them.
Techie Term:
Phishing is the practice of sending fraudulent emails which appear to come from a company,
with the intention of tricking the recipient into unwittingly providing the impostor with
information.
Two closely-related concepts to phishing are spearphishing and pharming

  • Spearphishing is a more targeted email attack, in which the email is much moretailored to your tastes and preferred websites and interests, because the senders havespent more time researching your social media and online presence;
  • Pharming is the use of a fake website or file that tricks a user into entering their credentials (username and password). These credentials are sent to the hacker and are then used to access the user’s account on the real website.

Common signs of a phishing email include one or more of the following:

  • They purport to be coming from a company you do not have an account with;
  • They can contain typos, grammatical errors, or poorly-formed sentences;
  • They can contain stretched or poor-quality embedded images (including company logos);
  • They try to instill a false sense of urgency or fear-monger to coerce the reader into rash actions;


• They make unbelievably good offers with regards to services or products;
• The email asks you to respond with sensitive information, such as passwords,
driver’s license numbers, government issued identification numbers, credit card
information, or bank information;
• They can contain suspicious attachments that might be infected with viruses or
other malware. Popular file attachment types are Adobe PDF documents, Word
documents, PowerPoint presentations, or Excel spreadsheets;
• They can contain links that appear to point to the company’s website, but which
actually point to bogus websites (also known as pharming); †
• The name in the email’s from address does not match the name in the email
signature or the email body;
• The email urges you to reply via a personal email address (for example:
@gmail.com, @aol.com, @yahoo.com, @btinternet.com, etc.);
• Your email client or your anti-virus software might visually flag the email as
suspicious. Be attentive to any such warnings.
Meanwhile, common signs of a spearphishing email include one or more of the following:
• They purport to be coming from a company with which you do have an account or an
existing relationship;
• They mention your full name, first name, or an username you recognize;
• They will almost certainly contain links that appear to point to the company’s website,
but which actually point to bogus websites (also known as pharming); †
• They might still contain suspicious attachments that might be infected with viruses or
other malware. Popular file attachment types are Adobe PDF documents, Word documents,
PowerPoint presentations, or Excel spreadsheets;
• Your email client or your anti-virus software might visually flag the email as
suspicious. Be attentive to any such warnings.
† Fraudulent links can usually be determined by floating over them with your mouse
cursor (but without clicking on them!) Most email clients will display the actual link in
floating text or in a status bar at the bottom of the client. For example, in the below
screenshot, floating over a “Shop Now” link purporting to be from a popular clothing
company, reveals that the link in fact goes to a very suspicious-looking website.

Some good strategies for dealing with phishing emails – and with junk mail/spam in general
– include:
• Don’t open emails that you email program has flagged as being spam/junk, even
if you recognize the sender;
• Don’t open any attachments that are sent in such emails;
• Don’t respond to such emails.
Phone Calls
Social engineers often call their victims on the phone and pretend to represent a company or
organization that the victim has an established relationship with. They almost always sound
personable and cordial, but also speak with assurance and confidence.
The perpetrator may try to rattle the victim with warnings and threats, and thus alarm them
into taking a rash course of action. Or they may sound downright blasé or relaxed, so as to
lull the victim into a false sense of security.
It’s worth noting that social engineers are not always direct in their questions. And so you
might feel that their questions are trivial or few in number. But this can be a common
strategy by social engineers. They might not ask you for a lot of information up-front. They
might slowly chip away at you with questions over a period of weeks or months, so as not to
arouse suspicion. Their goal is to slowly build a profile of your activity and social profile. And
usually they are in no big rush to do this, because they know that keeping you oblivious of
their goals is more effective than possibly alerting you that someone is trying to exploit you.
Do not be afraid to grill the caller with questions! But be careful not to give away or verify
any personal information they are asking about. If in doubt, hang up and follow the steps
listed under the Responding to Suspected Social Engineering Attempts section of this book.
Signs of an inbound social engineering phone call include:
• The call is not expected by you;
• The caller asks you to confirm sensitive information, such as passwords, driver’s
license numbers, NI numbers, credit card information, or bank information;
• The caller asks probing questions about your account, lifestyle or;
• The caller is vague or evasive in responding to any questions you ask;
• The caller outright refuses to explain why they are calling;
• The caller tries to flatter you by telling you that you have won a prize or are
needed for an important or secret project.
Letters and Faxes
The use of faxes and postal letters for social engineering has slowly diminished over the
years. But they are still sometimes used by social engineers as a way to manipulate you into
something you will regret.
Many of the same safeguards apply here as with social engineering emails:
• They try to instill a false sense of urgency or fear-monger to coerce the reader
into rash actions;
• They try to entice you into responding by telling you that you have won a prize;
• They urge you to contact a company you have an established relationship with
via a suspicious-looking website, email address, or phone number.
• The letter comes from outside the country, or from a location that does not seem
to fit with the purported company;
• The letter comes from a company you have never heard of;
• The paper stock is poor quality;
• The letter contains typos, grammatical errors, or poorly-formed sentences;
• The letter contains a skewed, distorted, or poor-quality company logo in its
header.
Reacting to Social Engineering
It’s also worth noting that a social engineer might try to make their attack seem more
authoritative by combining multiple forms of media. For example, they might send an email
and then call you. Or they might send a letter and then call you. So don’t assume that just
because an individual claiming to represent a company communicates with you in multiple
ways that it is necessarily legitimate.
Ultimately, if you are suspicious in the slightest that a communication might be an attempt at
social engineering, follow the steps below:
1. Hang up or do not respond to the communication.
2. Look up a customer service number for the company on a form of media you
know is legitimate. You can use an old statement that you are confident was
valid; or you can your browser and go to the company’s website (either via
Google and clicking on one of the first non-advert-driven results, or by handtyping the address into the address bar), rather than following a link that was sent
to you.
3. Contact the company at a verified phone number and verify that they contacted
you recently, or confirm the story the original caller told you.
Post-Hack Advice
If you do become the victim of a social engineering hack or data breach – in other words if
you believe a social engineer may have gained access to your financial assets or other
sensitive information – it’s important to realize that it is not a sign of naivete or stupidity. It
can happen to anyone, regardless of how tech savvy or vigilant you are.
The important thing is to put any embarrassment aside and take action immediately to gain
control over your information and assets. The first step to doing this is to report the breach to
the authorities.
• US-based users can report fraud and data breaches to one of several Federal
agencies and bureaus, depending on the scope and nature of the crime. More
information can be found at this website: https://www.justice.gov/criminalccips/reporting-computer-internet-related-or-intellectual-property-crime
• UK-based users can report fraud and data breaches to the National Fraud &
Cyber Crime Reporting Centre. Their relevant web page is:
https://actionfraud.police.uk/report-a-fraud-including-online-crime
• Canada-based users can report fraud and data breaches to the Canadian AntiFraud Centre. Their relevant web page is: http://www.antifraudcentrecentreantifraude.ca/index-eng.htm
The longer you wait, the less likely you are to get any losses back, and the greater the
chances are for your other online accounts to be compromised.
Here are some steps to immediately take if you believe you have been hacked by social
engineers:
• Immediately report the suspected hack to any of your banks, credit card
companies, or other financial institutions that you think may have been impacted.
They will probably have you close any existing accounts and open new ones.
• Do not respond to any more emails from the parties who you believe have
hacked you.
• File a police report.
• Make sure your anti-malware software is up-to-date (by opening it via the system
tray icon in the bottom right corner of Windows), and run a full scan.
• Contact the national credit bureaus and have a temporary freeze put on your
profiles with them.
Combating Persistent Hack Attempts
If one or more of you’re accounts have been compromised a couple of times, you might find
that you are receiving an increasing number of suspicious emails.
Sadly, this can be an indication that your email address has found its way onto what is
referred to as a sucker’s list. Though the term “sucker’s list” predates the Internet by several
decades, it has found a new lease on life in the digital age.
Techie Term:
In the context of hackers, a Sucker’s List contains the information (for instance, email
addresses) of people who have fallen for a scam in the past and might be vulnerable to future
scams.
Ultimately, if you are receiving an increasing number of fraudulent emails (as outlined in
the Phishing section), it might be time to consider creating a whole new email account,
migrating all your legitimate contacts over to it, and abandoning the old account.
Section Review
Action Items:
• Be cautions clicking on links or attachments in emails;
• Be suspicious of strangers with unbelievable offers or who try to pressure you;
• Verify any unusual requests from people claiming to represent a company;
• If you are hacked, report it to authorities and affected companies immediately.