Recognise Social Engineering

• People are naturally trusting, and vulnerable to deception and manipulation.
• Scammers may attempt to defraud you with a phone call, email, text — or just about any other form of communication.
• Sometimes a scammer will impersonate a colleague, friend or family member.

The human touch

We are a social species. Our brains are wired to make us trust and form connections with other people from the day we are born. While this is essential for our survival, it also means we can be tricked into doing things that aren’t in our best interests, like divulging confidential information. The practice of manipulating human psychology in this way is called social engineering.

Perpetrators of social engineering may contact people by phone, text message, email or social media to attempt their attacks. Often they aren’t targeting anyone in particular — they’ll dial numbers in turn, or send millions of emails in the hope that enough of them get through. To be more efficient, they might use lists of working phone numbers and email addresses gathered from public sources – like a telephone directory – or exposed in data breaches (see Accept That Data Breaches Happen). For the scammer, it’s a matter of chance who responds and falls victim.

On the other hand, some scammers will carefully select their targets. If you are employed in a notable role within an organisation, or your organisation might be of particular interest to an outsider, it’s important to be aware of this practice and to be vigilant. An attacker will first conduct reconnaissance, gathering information they can use to make their efforts more likely to succeed. For example, they might use LinkedIn to find the name of your company’s IT director, then send you an email signed off with that name.

Bogus phone calls

Companies almost never make unsolicited phone calls to their customers. So, in theory, it should be easy to avoid being defrauded this way.

Unfortunately, scammers can be well rehearsed in making you believe that their phone call to you is a special case: that on this particular occasion, they really are who they claim to be. They’re good at keeping you talking and gaining your trust, and will make the situation sound urgent so you don’t have time to take a step back and start doubting their authority.

Examples

Some common scams that begin with a phone call include:

• The caller says they’re from a well-known technology company, like Microsoft or Apple, and that your computer is at risk or has some other fault. After tricking you into allowing them remote access to your computer, they show you irrelevant errors and warnings to back up their false claim. In the end, they ask for money to put things right. To reiterate: Microsoft and Apple simply don’t call their customers like that; these calls are always bogus.
• The caller says they’re from your Internet provider, and that your connection is faulty or even that it’s been used illegally. They might try to overwhelm you with technical jargon. Again, none of what they say is true; and their goal is to have you pay for a ‘solution’ to a non-existant problem.
• The caller says they’re from Amazon. They say that your Prime membership is due for renewal, and that it’s a reduced price if you pay now over the phone. Or they say they’re investigating a fraudulent purchase on your account. The scammer’s goal might be to access your Amazon account and make a fraudulent purchase themselves.

Coincidences

Sometimes, a scammer will get lucky by mentioning something that does apply to you. For example:

• They’ll say they’ve noticed your broadband has been slow recently. Broadband faults aren’t uncommon, and people often think their connection ought to be faster, so this can make convincing bait for a scam.
• They’ll start with “You know those roadworks near your house…”, and go on to say they’re from the utility company and have been asked to compensate you for the inconvenience. There might well happen to be roadworks in your neighbourhood on the day the scammer calls!

Number spoofing

Scammers may ‘spoof’ their caller ID to be that of a genuine organisation. The telephone system was not designed to prevent this sort of behaviour, so it’s possible to receive a scam call that shows up as the number of a company you trust.

For example, a scammer pretending to be from your bank might ask you to look on the back of your debit card where, sure enough, you’ll find the same phone number they appear to be calling from.

Summary

Remember: whenever you receive an unsolicited phone call about a problem with one of your devices or accounts, or where the caller asks for private information, you should assume it’s a scam.

In the unlikely event you hang up on a genuine caller, you’ll find out sooner or later via other means. Equally, a genuine caller shouldn’t be offended if you’re initially doubtful and challenge their authenticity, or take steps to verify that what they’re saying is true.

Phishing

Fraudulent attempts at getting you to divulge private information via messages sent to your computer, tablet or smartphone are called phishing. It’s a play on the word fishing, and pronounced the same.

Phishing has traditionally been associated with email. The earliest users of the ARPANET, the precursor to the Internet, were military and academic institutions in the United States. The network comprised only these known and trusted organisations, so when email was invented in the 1970s it wasn’t made to be private or secure (the military had other means of communicating in secret). Yet the technology has survived largely unchanged into the twenty-first century; where simplicity, compatibility, and the fact that it’s free remain email’s greatest strengths — but also leave it susceptible to abuse.

Beyond email, the growth in smartphone use has led to scammers also conducting phishing via text messages and services like WhatsApp. In fact, you should be aware of the possibility that official-looking communications you receive by almost any means might not be genuine.

Examples

Phishing can take various forms. These are just some examples:

• You receive an email, apparently from Facebook, saying someone has tagged you in a picture. When you click to see it, you’re shown a page made specially to look like the Facebook login page, with a box to type your password. What actually happens is that your password is sent to the phisher, who works for the government of a country keen to spread harmful misinformation. They adopt your identity – your friendly face; your longstanding online reputation – to further their campaign.
• You receive a text message, apparently from the postal service, saying a delivery is on its way but the sender didn’t put enough stamps on. To get your parcel, you’re asked to tap a link to pay the difference. It’s a small amount, so you don’t give it much thought. But there was no such parcel. Your money has gone to a fraudster.
• You receive an email saying your subscription to a TV streaming service has renewed automatically. This is a surprise, because you no longer watch those channels — and thought you cancelled months ago. There’s a phone number to call, and you give your payment card details for a refund. But the email was bogus, and so is the call centre. Some scammers make so much money that they can afford to operate a toll-free number, which victims may be more likely to trust.

There are a few things you can check to help determine the authenticity of an email, text or other electronic message.

Check the spelling and grammar

A scammer may not speak your language very well, and this can work in your favour: bad spelling or unusual grammar are common signs that a message is bogus. Sometimes you’ll see particularly complex or unusual phrases, which are a sign that the message has been translated automatically.

In the heat of the moment it can be easy to miss, but the wording of a message is often the most visible clue that it’s fraudulent. So, when in doubt, take your time.

Of course, some scammers will write perfectly in your native language; and conversely, a genuine sender might make a mistake! So, there’s no definitive rule here.

Check the From address

This applies only to email. Consider that an email includes a To address, From address, sender name, subject and body.

The From address is of particular interest, but many email apps hide it to begin with, showing only the sender name. The name is not helpful in determining the authenticity of an email, because it can be anything the sender chooses. So, learn where to find the From address in your email software — often by resting the mouse cursor over the sender name, or clicking or tapping it.

An unusual From address is usually a clear giveaway of a fraudulent email. For example, an email from eBay is almost certainly going to come from an address ending in ebay.com or a local equivalent like ebay.co.uk. If the From address shows otherwise, there’s a good chance the message is bogus.

Sadly, the reverse is not true. Because ‘spoofing’ is possible, you cannot be certain that (for example) an email showing a From address ending in paypal.com really is from PayPal. That said, technological measures to combat spoofing have made the practice unfavourable — good email providers are now highly likely to filter such messages as junk.

Check where links take you

To complete the scam, phishing messages typically include a link to a web page on which you are asked to enter the information the scammer desires. In other words, being the victim of a phishing scam actually requires you to be tricked twice: first into believing a fake message is genuine, and second into giving away private information.

Consider, then, that it doesn’t matter if you ‘fall for’ a fake message if you’re able to back out at the stage where you realise the resulting web page is fake. The email might have been perfectly written, and you might have missed the slight misspelling in the From address, but now that you’ve clicked the link you can make arguably the most reliable check of all: the address displayed in your browser. For the knowledge you need here, see Appendix: Understand URLs.

Visit the website directly

If you’re still in doubt, a foolproof option is to ignore the link in the suspect message and make your own way to the website in question. If you really have been sent that money on PayPal or tagged in that Facebook photo, you can find out directly — bypassing the possibility of a scammer leading you astray.

As a bonus, bookmark important sites to ensure you never end up on fake versions of the same.

Friends’ compromised accounts

Sometimes a scammer will gain access to a person’s email account in order to pull off a somewhat more elaborate fraud. This section describes a common example known as the gift card scam. To make it easier to follow, we’ll give the initial victim a name: Joe.

A scammer has broken into Joe’s account, most likely by tricking him into disclosing his password with a [phishing message]. The scammer gathers email addresses known to Joe, either from his contacts list or by harvesting recipients from his previously sent emails.

Next, the scammer sends out a brief, innocuous message to these contacts – possibly hundreds of people – saying something like:

• “Are you available?”
• “I wonder if you could help me with a favour.”

Consider that the recipients – most of whom will be Joe’s friends, family or colleagues – may find this indistinguishable from a genuine message. Even if the writing style or the nature of the request is out of character, the human desire to help a person in need is stronger.

Furthermore, since this is a simple email – with no attachments or suspicious links – it’s unlikely to trigger any technological warning systems either.

The scammer might also try to deter recipients from replying by phone:

• “I can’t call because my phone is broken.”
• “Please email. I have laryngitis so it hurts to talk at the moment.”

Meanwhile, the scammer does some further preparation. They open a new, free email account with an address similar to Joe’s. Then they activate the option in Joe’s account to redirect all incoming mail to this new address.

When people start responding to the request for a favour, the messages don’t reach Joe — they’re forwarded to the scammer, who replies to them individually with a heartfelt plea:

• “I’m in hospital and need to get a present for my daughter’s birthday. Would you mind popping to the supermarket for a PlayStation gift card, and sending me a picture of the code? I’ll reimburse you when I’m home.”
• “I’ve had my wallet stolen. I need to buy some things, but my replacement bank card won’t arrive till next week. Please could you buy an Amazon gift card and let me know the code to redeem it?”

The scammer is now engaging with these people directly from the new email address they set up to impersonate Joe. Even after Joe secures his account (see Appendix: Secure a Compromised Account) and turns off the mail redirection, the scammer can continue.

They redeem the gift card and spend it immediately, buying merchandise to sell on. The victim’s money has been quickly and effectively laundered!

Scams like this have become rife in recent years. It’s important to be wise to them, and not expect that your bank will bail you out.

Extortion scams

The essence of the extortion scam is that you receive a message from a stranger who claims to have gathered embarrassing material about you by hacking your computer, like video recorded secretly via your webcam or knowledge of which websites you’ve visited. They threaten to publish the material to your family, friends or colleagues if you don’t make a payment. The sender does not have this material, and you can safely ignore or delete the message.

Note that one tactic employed by these scammers is to include real information about you in the email, like a password you really do use or have used in the past. They do this using information leaked in historic data breaches (see Accept That Data Breaches Happen) or information that’s publicly available. But the inclusion of real information about you in an unsolicited message should not make it more believable. You are not being personally targeted, and thousands of other people will have received an identical scam message — but containing their password.

That said, if you receive an extortion scam that mentions a password, and you recognise the password as one you still use, you should change it. But once again: the extortion threat itself is not real, so you can safely ignore or delete the message.

What you can do

• Be aware that the number shown on an incoming phone call might have been altered to match that of an organisation you trust.
• Hang up on unexpected callers purporting to offer help with your computer or requesting information about your accounts.
• Look out for bad spelling and grammar that can give away a bogus message.
• If you click a link in a suspect message, check the URL in your browser to see if it matches what you’d expect from the organisation that apparently sent it.
• If a suspicious message is an email, check its From address. This isn’t a perfect solution, because it can be spoofed, but most phishing messages can be identified by the fact that the From address doesn’t match the organisation named as the sender.
• If you receive a message from a friend’s email or social media account that asks for a favour like loaning money or help with some kind of transaction, it may actually be an imposter. Contact the friend via another means, like a phone call, to check whether they really did send the message.
• Don’t respond to messages, however frightening, from strangers claiming to have secretly recorded you or threatening to publicise sensitive information about you. They are not real — thousands of other people will have received the same message.