In Depth

Social Engineering: Eight Common Tactics

Stealing your company's 'hold' music, spoofing caller ID, pumping up penny stocks - social engineers blend old and new methods to grab passwords or profits. Being aware of their tricks is the first line of defense.

By Joan Goodchild, Senior Editor

Page 2

3. Borrowing your 'hold' music
Successful scammers need, time, persistence and patience, said Lifrieri. Attacks are often done slowly and methodically. The build-up not only includes collecting personal tidbits about people, but also collecting other "social cues" to build trust and even fool other into thinking they are an employee when they are not.

Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.

"The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."

4. Phone-number spoofing
Criminals often use phone-number spoofing to make a different number show up on the target's caller ID.

"The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company," said Lifrieri.

Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.

5. Using the news against you
"Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams," said Dave Marcus, director of security research and communications for McAfee Avert Labs.

Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.

"There have been a bunch of phishing attacks related to banks being bought by others," said Marcus. "The email will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.' It's an attempt to get you to release your information so they can log into your account to either steal your money or sell your information to someone else."

6. Abusing faith in social networking sites
Facebook, Myspace and Linked In are hugely popular social networking sites. And people have a lot of faith in them, according to Marcus. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many. Marcus said, increasingly, social networking devotees are being fooled by emails that claim to be from sites like Facebook, but are really from scammers.