Together, phishing and social engineering are by far the number one root-cause attack vector, and they have been around nearly since computers themselves were invented.
In the early 1980s, before the internet was the internet, I came across a text file that was named “HowtoGetAFreeHSTModem.” Back in the day, screaming fast, U.S. Robotic HST 9600-baud (!!) modems were highly coveted. I quickly opened the text file. It read, “Steal One!!”. “What a jerk,” I thought. Then I hit the escape key to close the text file.
The plaintext file contained invisible ANSI control codes that remapped my keyboard so that the next key I hit formatted my hard drive. Since then I’ve learned two things: One, if hackers can use text files to attack you, any digital content can be used. Two, anyone can be tricked by appropriately placed and messaged social engineering.
With that said, here are 10 signs of social engineering:
1. Asking for logon information
Easily the number one sign of social engineering is an email, website or phone call asking for your logon information. Once they have talked you out of your logon information, they use it against you, logging into your account, taking control, and taking some action against you or your organization. Google and Microsoft each fight millions of hijacked email accounts every single day.
One way to decrease the risk is to use multi-factor authentication (MFA) or a password manager. You can’t be phished out of a password you don’t have or don’t know.
Unfortunately, no MFA solution works everywhere and passwords will be with us for a long time, not to mention that every MFA solution can be hacked multiple ways. I know of more than 30 ways to hack MFA and it’s the subject of my next book.
Scammers are increasingly calling people on their cell phones to commit social engineering attacks. They call claiming to be from Microsoft having detected that your computer system is infected by a virus and they want to proactively help, or that your credit card/Paypal/bank account has been hacked. If you only provide your current logon information they will be glad to help you stop the hack. Not!!
If anyone, possibly including your IT guy, wants to know your logon information, be more than a little suspicious.
2. Asking you to execute content
Asking you to execute content is the next most common sign that you are being socially engineered. This could be from an email, visiting a website, or from a social media post. Emails send you to compromised websites. The compromised websites send you a popup message claiming you need to run such-and-such update to continue on the website.
Social media sites will claim to have an exciting or titillating video you just need to see (see examples below). When you try to run the video, it says you need to install some special piece of software (e.g., a video codec) to watch the video.
Roger Grimes
Be suspicious of requests to link to videos on social media
What you are executing or installing is malicious code, called a “dropper file,” that tries to take over your computer and then “dial home” to get additional malware and execution instructions. The dropper file is small and designed to self-update to avoid anti-malware detection.
3. Bad or suspicious URL
The next biggest sign of a phishing scam is a malicious-looking, look-alike or sound-alike internet domain name or Uniform Resource Locator (URL) that has nothing to do with the subject matter (see examples below).
Roger Grimes
Roger Grimes
Roger Grimes
Examples of suspicious URLs
You must teach yourself and anyone in your organization how to spot fake URL domains. Most internet browsers call out the real URL domain name by bolding it (see example below):
Roger Grimes
A bolded real URL
The URL domain name is www.amazon.com, and everything afterward points to content or media and is not part of the DNS domain name.
It’s crucial you teach everyone you know and love how to separate fake domains from the real domain URLs. For example, the next figure shows an email purporting to be from Apple tech support. The reply-to email address has the words “appleidicloudsupport” in it, but the domain attached to it is “entertainingworkshop.com.” Definitely not an Apple domain.
Roger Grimes
Definitely not an Apple domain
Teach people how to hover over a URL to reveal what it really is (beyond the easy-to-see display name). Unfortunately, many browsers and SMS clients on mobile devices, from which more and more people are consuming information, don’t always allow hovering (although more of them are just showing the real URL right from the start).
4. Stressor events
In almost all social engineering scenarios, online or over the phone, the attacker uses a “stressor event.” The stressor event is some pending emergency that if you don’t act right away and in the right way (according to them), then something bad will happen. Examples include:
- Provide your logon credentials or your account will be permanently locked.
- Run a (fake) software update or your stored content will be removed.
- Provide proof of ownership of your account/credit card/bank account information or it will be permanently closed.
- You’ve been detected and filmed surfing porn, which they will show to the world.
- A fine payment is needed immediately or you will be reported to the police and go to jail. (Who knew the IRS accepted WalMart gift cards as payment?)
- A payment that is immediately needed or a business deal will fall through.
Roger Grimes
Example of a stressor event
The idea is they want to give you less time to think when responding to a possibly suspicious request. A phone caller once claimed to my wife that I was kidnapped and being tortured, and they pretended to be me yelling in pain from the “torture.” I was surprised when I returned back from a short trip to the store to have my sobbing wife hug me as if I had escaped some terrible event. That one was scary because the caller must have seen me out of my house and knew my home phone number (back when we had such things.) These sorts of scams still routinely happen.
As soon as you see a stressor event, slow down, stop and think. Real-life stressor events rarely use excited language. For example, even if the IRS or police want you to pay something to avoid some worse outcome, usually the warnings come in such staid language that you could almost be forgiven for mistaking them for mass email marketing flyers.
5. Sender has two email addresses
Although it’s not a 100% guarantee, any email arriving with a different display address (RFC 5322) and return address (RFC 5321), is likely to be malicious (see example below).
Roger Grimes
Do the display and return email address domains match?
Having two different email addresses is a common phisher trick so they can present one email address (which looks legitimate) and another “real” email address to which the email really belongs. Legitimate marketing and support emails will sometimes do this, but in most cases, seeing two different email address on the sender line indicates maliciousness.
Also, look out for emails from someone you know when it comes from a new, strange, or unexpected email address. Phishers sometimes claim the CEO is emailing you from their home account, using a Gmail/Hotmail/Yahoo email address that has the CEO’s name in the sender line.
6. Change in banking or wiring instructions
Business email compromise (BEC) scams are a $26 billion problem and they are surpassing ransomware as the top social engineering scam. Most come in as fake invoices, often with requests to send the money to a new bank account or as an email to update existing bank wiring instructions. Some of the scammers break into a trusted third party whom you regularly pay, send you a change in wiring instructions, and then simply wait for you to pay the regularly scheduled invoice payment.
The victims often do not know of the scam for months until one of them prods the other about the unpaid, overdue balances. Any email, legitimate-looking or not, that requests a change in payment instructions should be immediately followed up by a phone call to the party supposedly requesting the change.
7. Uses wrong nickname or full name
This is a small hint, but it works. Many phishing scams have been caught simply because the receiver noticed that the sender used their full, formal name (e.g., William B. Montague), when they usually signed off their email with a nickname or shorter name (e.g. Bill). Or the person didn’t finish their email with their name when they usually do, or vice-versa. Or they didn’t put the person’s name at the beginning of the email when they normally do, or didn’t use the receiver’s informal nickname, etc. The idea is that the attacker often doesn’t know of the small informalities that usually accompany even pure business email. Take note of the little details. A deviation may save you a lot of headaches one day.
8. Can’t accept phone calls
Social engineering scammers often can’t accept phone calls from you to verify a request. They usually claim they can’t get to the phone, don’t have a useable phone where they are, aren’t allowed to use phones where they are, or some other excuse. The reason is they are usually a foreign person with a different accent than the person they are claiming to be.
This is particularly the case with romance and dating scams (which are always looking for money). They claim they can only use instant messaging for myriad reasons. For example, they are elite trained military embedded “in country” or on a top-secret mission. This is pretty funny, because although they can’t take a phone call, they can chat for several hours a day…and receive money you send to them using a variety of methods.
Be aware of any romantic interest who first approaches you, seems to have model-perfect beauty, and becomes overly intimate and falls in love with you in a matter of days. If it’s supposedly a US military person, ask them to send you an email on the military .mil account. All US military people have .mil email accounts and their use is tied to highly secure MFA smartcards (known as CAC cards), so scammers can’t use or get a .mil account. If someone claims to be from the US military but can’t send you an email from their .mil account (for any reason), run.
The next two signs of social engineering are specifically related to selling or buying items from an online site.
9. Buyer is too accommodating
Anyone new to buying and selling things online on a site designed for such things (e.g., Craigslist or eBay) may not know that these services are hotbeds for scam artists. Typically, they are among the earliest replies trying to buy your product or sell theirs to you. They don’t try to negotiate price and are more than willing to pay for any incidentals, shipping, taxes and whatever else they come up with. If they are selling or renting real estate, they are offering far below market prices, but can’t meet in person (they are usually out of the state or country on business).
There is no such thing as a free lunch, but there is such a thing as a deal too good to be true. If the buyer or seller is not only paying you full price (or offering you a steal deal on something they are selling), and bending over backwards in other ways that are beneficial to you, it’s probably a rip-off.
10. Force you to go “off-service”
Most online selling and auction sites are fully aware of the scam artists who target their sites and services. For that reason, they have built-in protections for buyers and sellers.
Because of these protections work, the scammers encourage or force victims to go “off service.” They usually claim that doing so will save the victim money. They recommend the victims use their “trusted escrow service” or trusted shipper. They say that instead of the victim using PayPal (“which charges a fee”), just let them send you a check that you can cash at your regular bank for no fee, and so on. Once the victim has gone off-service, the scammer can complete the rest of their crime with relative ease.
I read of a woman who was selling her truck. Instead of using the online service to sell the truck, the scammers offered to show up in person and pay in cash. The people showed, gave her a (small) cash deposit, and left their licenses with the victim. They drove off to “test drive” the vehicle and were never to be seen again. They got a $40,000 truck for $400. Of course, the licenses were fake. Not a bad day’s work if you can get it.
If someone attempts to move you off the service or site where you were intending to buy or sell something, be suspicious. Better yet, don’t follow the instructions or get involved.
These 10 signs of social engineering are among the most common ways criminals try to scam you. The common problem is that email, SMS and telephones are not well authenticated by default. Anyone can claim to be anyone on most services. More built-in, required authentication is coming. Until then, be skeptical of these signs and force anyone “accidentally” using one of these signs to prove that they are legit.