‘Social engineering’ demystified

The operators behind two recent suspicious email campaigns are looking to trick recipients into doing something that provides them with a financial reward

As an internet user, you may you have heard the term ‘social engineering’ used to describe methods designed to trick you into doing something. Social engineering is one of the most successful ways that criminals can succeed.

It could be a convincing phishing email asking you to urgently login in to your internet banking account or an out of the blue request from a company executive to urgently process a high value payment.

How does social engineering work?

Humans are hard-wired to want to help others. This is why various scams work which is why it’s important to raise awareness of the various techniques and investment in staff training is needed.

How can you identify a social engineering attempt?

Below are two anonymised reports made to Netsafe that help you identify a social engineering attempt.

Case Study One: The legal ‘cease and desist’ email

An educator receives an email from a US law firm stating that copyrighted material has been used without the permission of their client in a class presentation.

The lengthy email is threatening in tone and packed full of allegations about an unspecified event but serves as a ‘cease and desist’ notification of harm being caused and that financial penalties may be demanded if their request is not complied with immediately.

The email carries a file attachment that promises further information on the copyright infringement.

Most people receiving a legal threat of this nature would want to know more about the allegations. But open the attachment and your computer system could become infected with ransonware.

The lesson: No matter how threatening an unexpected message may sound take the time to think and don’t open the attachment.

A quick internet search of the email domain above revealed that those behind the message were trading off the name of a legitimate US law firm. But looking carefully, the sending address (for example: @big-uslawfirm.com) didn’t match the genuine company website address (for example: www.biguslawfirm.com).

The extra hyphen and a quick check of the domain registration record showed the URL that the message was sent from had only been purchased two weeks ago. Scanning the attachment also flagged that the file was malicious in nature.

The solution: Be cautious about unexpected emails carrying attachments – in this case a .zip file. Look for an email provider or security solution that will pre-filter suspicious or malicious emails so people are not given the opportunity to open the file and infect their device. You should quarantine suspect emails and ensure everyone is aware of the kind of social engineering attacks they may be exposed to.

Case Study Two: Do you take credit card payments?

A company selling telecom services receives a brief email from a possible new customer:

Hello,

This is Raymond,I have just moved into the area,and i want a new Telephone installation systems in my just acquired 3 bedroom and my living room.So i require your services for the Telephone system installation.Also i would like to know if you accept credit card for payment..Reply me if you are available for the work.

Thanks
Raymond

There grammar is poor, but as it might result in a sale it’s something that received a response. The next reply tugs at the heart strings and shows the angle being used to manipulate the company representative:

I am hearing impaired and I am at the hospital at the moment and i am ready to undergo a double cochlear implants surgery for my impairment in some very few days,so this is the best way to communicate.I would love to have a PABX type system with a phone in each room that I can make intercom calls to the other rooms and access the phone line/s for incoming or outgoing calls.I will be very glad to have you in for the inspection in other to give me a proper quote,The Removals Company will be coming with my keys when they are bringing in the Electronics as they are helping me move in my house furniture and all belongings from my former apartment to my new home,though they shall be stored in the garage on that day.

This sets the scene for the follow up message from ‘Raymond’ that describes how the scam will work to his advantage. I will pay you your costs, can you please help me with paying the other company:

Also I would be grateful if you can render me a favour,because i have not paid the removals bringing in my belongings due to that they do not have a credit card facilities for payment and due to my present condition beyond my reasonable control,it won’t be convenient for me to pay via other method that is why i really need you to assist me.

I would like you to charge $3450.00 on my credit card today,then you can take out $1000 as your upfront and have the $2450.00 send to the removals via bank deposit for them to be able to move properties to my house asap.After meeting with them on the site you can do proper inspection and go ahead with installation.

I so much wish to pay them directly but I am at the hospital right now and will undergo a surgery soon for my hear disabilities and I will want everything in place in my new house before I am discharge because i will be leaving to my new house to have a good home rest and continue with my post surgery treatment.

“I am at the hospital right now” is the lure – please can you help me? The poor English and odd request raises suspicions and all communication ceases.

The lesson: The scammer is trying to trick the business into accepting payment (most likely with a stolen credit card) in the hope they will funnel the extra cash to a bank account supposedly used by the removal company. In many cases, even though an NZ bank account provided for the transfer doesn’t raise a red flag, this account actually belongs to a ‘money mule’ unwittingly recruited as a ‘payments processor’ to launder the cash and send payments offshore to the gang behind the emails.

The solution: Be cautious about any request to go above and beyond in the sales process. Sending cash to a third party could leave you liable for the full credit card payment and seriously out of pocket. Establish policies that make it clear you do not send extra cash by bank payment or money transfer no matter how desperate a potential customer is for your help.

Report a scam

Help if you have been scammed or think you are about to be scammed: Netsafe can’t open investigations or track scammers, but we can offer support and advice for people who have lost money in a scam, or think they are about to. This includes letting you know the steps you can take depending on the scam you’re in and giving you advice about how to stay safe in future. You can report a scam to www.netsafe.org.nz/report.

Our help service is open from 8am – 8pm Monday to Friday and 9am – 5pm on weekends.

 

Report a scam

More information

Keep up to date

Follow us on social media and sign up to our enewsletter for alerts, news and tips.  
Facebook   Twitter 

Similar Posts

Unsolicited goods

Unsolicited goods

We often receive reports of people receiving unsolicited goods. These are goods they haven’t ordered, and the company that sent them is demanding payment for the product. How does it work? The company has acquired personal details about a person (e.g. name, email and mailing address) and has sent a product to them they haven’t…

Event ticket scams

Event ticket scams

Event ticket scams happen when tickets to an event are purchased from an individual or through a third party ticket resale website. The buyer later finds out they have been charged hidden fees, the tickets aren’t legitimate or they don’t receive the tickets. Avoiding event ticket scams When buying tickets, check if the official ticketing…