Recognise Social Engineering
We are a social species. Our brains are wired to make us trust and form connections with other people from the day we are born. While this is essential for our survival, it also means we can be tricked into doing things that aren’t in our best interests, like divulging confidential information. The practice of manipulating human psychology in this way is called social engineering.
Perpetrators of social engineering may contact people by phone, text message, email or social media to attempt their attacks. Often they aren’t targeting anyone in particular — they’ll dial numbers in turn, or send millions of emails to made-up addresses in the hope that enough of them get through. To be more efficient, they might use lists of working phone numbers and email addresses gathered from public sources, like a telephone directory, or exposed in data breaches (see Accept That Data Breaches Happen). It’s a matter of chance who responds and falls victim to the scam.
On the other hand, some scammers will carefully select their targets. If you are employed in a notable role within an organisation, or your organisation might be of particular interest to an outsider, it’s important to be aware of this practice and to be vigilant. An attacker will first conduct reconnaissance, gathering information they can use to make their efforts more likely to succeed. For example, they might use LinkedIn to find the name of your company’s IT director, then send you an email signed off with that name.
Bogus phone calls
In theory, attempts to defraud you by phone call are the easiest to recognise, for the simple reason that genuine companies almost never contact their customers this way — especially not unsolicited to request private information.
For example, if you receive an unexpected call and the caller says they’re from a big technology company like Microsoft or Apple and that your computer has a problem, you can be sure they are a scammer. Microsoft and Apple simply don’t call their customers like that. Similarly, the caller might pretend to be from your Internet provider, saying your router is faulty and perhaps trying to confuse you with technical terms. Their goal is to engage you in ‘fixing’ a problem that doesn’t exist and, in the process, having you pay them money or divulge private information.
Unfortunately, such scammers tend to be well rehearsed in making you think this is a special case; that on this particular occasion they really are who they claim to be. They are good at keeping you talking and gaining your trust, and they will make the situation sound urgent so you don’t have time to take a step back and start doubting their authority.
Sometimes, a scammer will get lucky by mentioning something that does seem to apply to you. For example, they’ll say they’ve noticed your broadband has been slow recently. Broadband speed problems aren’t uncommon so, often enough, they’ll be right. Or they might start with “You know those roadworks at the end of your street…”, and go on to say they’re from the utility company and want to compensate you for the inconvenience. There might well happen to be roadworks in your neighbourhood on the day the scammer calls!
Finally, scammers may ‘spoof’ their phone number to be that of a genuine organisation. The telephone system was not designed to guard against this sort of behaviour, and so it is possible that when you receive a scam call, the number displayed on your handset (or when checking 1471 in the UK, for example) is the real number of a company you trust. A scammer pretending to be from your bank might ask you to look on the back of your debit card where, sure enough, you’ll find the same phone number they appear to be calling from.
So, whenever you receive an unsolicited phone call about an apparent problem with one of your devices or accounts, or where the caller asks for private information, you should assume it is fraudulent. In the unlikely event you hang up on a genuine caller, you’ll find out sooner or later by other means. Additionally, a genuine caller shouldn’t be offended if you are initially doubtful and challenge their authenticity, or take steps to prove who you’re dealing with and that what they say is true.
Fraudulent attempts at getting you to divulge private information – like a password – via a message sent to your computer, tablet or smartphone are called phishing. It’s a play on the word fishing, and pronounced the same.
Phishing has traditionally been associated with email. The earliest users of the ARPANET, the precursor to the Internet, were military and academic institutions in the United States. The network comprised only these known and trusted organisations, so when email was invented in the 1970s it wasn’t made to be private or secure (other means existed for the military to communicate in secret). Yet the technology has survived largely unchanged into the twenty-first century — where simplicity, openness and the fact that it’s free remain email’s greatest strengths, but also leave it susceptible to abuse.
Beyond email, the growth in smartphone use has led to scammers conducting phishing via text message and platforms like WhatsApp. The principle is the same, and you should be aware of the possibility that official-looking communications you receive by almost any means might not be genuine.
There are a few things you can check to help determine the authenticity of an email or other electronic message.
Check the spelling and grammar
A common sign that a message is bogus is bad spelling or grammar. In the heat of the moment it can be easy to miss, but it’s often the most obvious clue, so take your time. Sometimes you’ll see particularly complex or unusual wording, which is a sign that the message has been translated from another language. Of course, a genuine sender may make a spelling mistake; and conversely, a scammer may write perfectly in your native language — so there’s no definitive rule here.
Check the From address
This check applies only to email. A simple email comprises a To address, From address, sender name, subject and body. While it’s possible for a scammer to spoof the From address to that of a genuine organisation, recent technological measures to combat this have made the practice unfavourable. This means that checking the From address can be a good way to spot a fake email. For example, an email from eBay is almost certainly going to have been sent from an address ending in ebay.com or a local equivalent like ebay.co.uk.
Unfortunately, many email apps hide the From address to begin with, showing only the sender name. The sender name is not helpful in determining the authenticity of an email, because it can be anything the sender chooses; it is not validated in any way. So, ignore the sender name, and learn how to reveal the From address in your email software — often by resting the mouse cursor over the name, or clicking or tapping it.
In summary, if the From address doesn’t match what you’d expect of the apparent sender, the email is bogus. But since spoofing is still possible, the reverse is not true: you cannot be certain that an email showing a sender address ending in paypal.com really is from PayPal.
Check where links take you
To complete the scam, phishing messages typically include a link to a web page on which you are requested to type the information the scammer desires. For example, you’ll get an email pretending to be from your energy supplier saying you’re owed a refund. When you click for details, you’re taken to a page made specially to look the same as the energy supplier’s website, with a box to type your password in order to claim the money. What actually happens is that the password is sent to the scammer. While they might not benefit from accessing your energy account, they’ll try the same password on more important sites, because many people reuse passwords.
So, being the victim of a phishing scam actually requires you to be tricked twice: first into believing a fake message is genuine, and second into typing private information into a fake web page. It doesn’t matter if you ‘fall for’ the message if you’re able to back out at the stage where you realise the resulting web page is fake. The best way to identify a fake web page is to check its address displayed in your browser (see Appendix: Understand URLs).
If you’re still in doubt, another option is to ignore the link in the suspect email and make your own way to the website in question — bypassing the possibility of a scammer leading you astray. Bookmarking sites you visit frequently is a good way to ensure you never end up on fake versions of the same.
Friends’ compromised accounts
Sometimes a scammer who has obtained the password to a victim’s email account will attempt to pull off a further, more elaborate con. There are many variations on this, so what follows is only an example.
The scammer will check the victim’s address book or, if they don’t use an address book, they’ll harvest email addresses from previously sent or received messages. They’ll then send out a message to these contacts saying something quite innocuous like “Are you online? I need a favour but my phone is broken at the moment.” Consider that to the recipients – many of whom will be friends, family or colleagues of the scammer’s victim – this will be indistinguishable from a genuine message. And since it contains no attachment or suspicious links, it’s unlikely to trigger any computer-based warning systems either.
Meanwhile, the scammer does two more bits of preparation. First, they create a free email account with an address similar to that of their victim. Second, they activate the option in the victim’s real account to redirect all incoming mail, specifying the new ‘imposter’ address to receive it instead.
When the victim’s friends start responding to the request for a favour, the messages don’t reach the victim — they are redirected to the scammer, who soon replies with a heartfelt plea: “I’m in hospital and need to get a present for my daughter’s birthday. Please buy a £50 gift card from a supermarket, scratch off the back, and email me the code. I’ll reimburse you, plus extra for your time, when I’m home.”
Because the scammer is now engaging with the victim’s friends directly from the imitation account, they can continue the conversation even after the victim has realised something is wrong and secured their own account.
Scams like this have become rife in recent years. It’s important to be wise to them, and not to expect that the shop or your bank will bail you out for what is technically a legitimate, voluntary purchase of a gift card.
The essence of the extortion scam is that you receive a message from a stranger who claims to have gathered embarrassing material about you by hacking your computer, like video recorded secretly via your webcam or knowledge of which websites you’ve visited. They threaten to publish the material to your family, friends or colleagues if you don’t make a payment. The sender does not have this material, and you can safely ignore or delete the message.
Note that one tactic employed by these scammers is to include real information about you in the email, like a password you really do use or have used in the past. They do this using information leaked in historic data breaches (see Accept That Data Breaches Happen) or information that’s publicly available. But the inclusion of real information about you in an unsolicited message should not make it more believable. You are not being personally targeted, and thousands of other people will have received an identical scam message — but containing their password.
That said, if you receive an extortion scam that mentions a password, and you recognise the password as one you still use, you should change it. But once again: the extortion threat itself is not real, so you can safely ignore or delete the message.
What you can do
- Be aware that the number shown on an incoming phone call might have been altered to match that of an organisation you trust.
- Hang up on unexpected callers purporting to offer help with your computer or requesting information about your accounts.
- Look out for bad spelling and grammar that can give away a bogus message.
- If you click a link in a suspect message, check the URL in your browser to see if it matches what you’d expect from the organisation that apparently sent it.
- If a suspicious message is an email, check its From address. This isn’t a perfect solution, because it can be spoofed, but most phishing messages can be identified by the fact that the From address doesn’t match the organisation named as the sender.
- If you receive a message from a friend’s email or social media account that asks for a favour like loaning money or help with some kind of transaction, it may actually be an imposter. Contact the friend via another means, like a phone call, to check whether they really did send the message.
- Don’t respond to messages, however frightening, from strangers claiming to have secretly recorded you or threatening to publicise sensitive information about you. They are not real — thousands of other people will have received the same message.