Together, phishing and social engineering are by far the number one root-cause attack vector, and they have been around nearly since computers themselves were invented.In the early 1980s, before the internet was the internet, I came across a text file that was named \u201cHowtoGetAFreeHSTModem.\u201d Back in the day, screaming fast, U.S. Robotic HST 9600-baud (!!) modems were highly coveted. I quickly opened the text file. It read, \u201cSteal One!!\u201d. \u201cWhat a jerk,\u201d I thought. Then I hit the escape key to close the text file.The plaintext file contained invisible ANSI control codes that remapped my keyboard so that the next key I hit formatted my hard drive. Since then I\u2019ve learned two things: One, if hackers can use text files to attack you, any digital content can be used. Two, anyone can be tricked by appropriately placed and messaged social engineering.With that said, here are 10 signs of social engineering:1. Asking for logon informationEasily the number one sign of social engineering is an email, website or phone call asking for your logon information. Once they have talked you out of your logon information, they use it against you, logging into your account, taking control, and taking some action against you or your organization. Google and Microsoft each fight millions of hijacked email accounts every single day.One way to decrease the risk is to use multi-factor authentication (MFA) or a password manager. You can\u2019t be phished out of a password you don\u2019t have or don\u2019t know.Unfortunately, no MFA solution works everywhere and passwords will be with us for a long time, not to mention that every MFA solution can be hacked multiple ways. I know of more than 30 ways to hack MFA and it\u2019s the subject of my next book.Scammers are increasingly calling people on their cell phones to commit social engineering attacks. They call claiming to be from Microsoft having detected that your computer system is infected by a virus and they want to proactively help, or that your credit card\/Paypal\/bank account has been hacked. If you only provide your current logon information they will be glad to help you stop the hack. Not!!If anyone, possibly including your IT guy, wants to know your logon information, be more than a little suspicious.2. Asking you to execute contentAsking you to execute content is the next most common sign that you are being socially engineered. This could be from an email, visiting a website, or from a social media post. Emails send you to compromised websites. The compromised websites send you a popup message claiming you need to run such-and-such update to continue on the website.Social media sites will claim to have an exciting or titillating video you just need to see (see examples below). When you try to run the video, it says you need to install some special piece of software (e.g., a video codec) to watch the video. Roger GrimesBe suspicious of requests to link to videos on social mediaWhat you are executing or installing is malicious code, called a \u201cdropper file,\u201d that tries to take over your computer and then \u201cdial home\u201d to get additional malware and execution instructions. The dropper file is small and designed to self-update to avoid anti-malware detection.3. Bad or suspicious URLThe next biggest sign of a phishing scam is a malicious-looking, look-alike or sound-alike internet domain name or Uniform Resource Locator (URL) that has nothing to do with the subject matter (see examples below). Roger Grimes Roger Grimes Roger GrimesExamples of suspicious URLsYou must teach yourself and anyone in your organization how to spot fake URL domains. Most internet browsers call out the real URL domain name by bolding it (see example below): Roger GrimesA bolded real URLThe URL domain name is www.amazon.com, and everything afterward points to content or media and is not part of the DNS domain name.It\u2019s crucial you teach everyone you know and love how to separate fake domains from the real domain URLs. For example, the next figure shows an email purporting to be from Apple tech support. The reply-to email address has the words \u201cappleidicloudsupport\u201d in it, but the domain attached to it is \u201centertainingworkshop.com.\u201d Definitely not an Apple domain. Roger GrimesDefinitely not an Apple domainTeach people how to hover over a URL to reveal what it really is (beyond the easy-to-see display name). Unfortunately, many browsers and SMS clients on mobile devices, from which more and more people are consuming information, don\u2019t always allow hovering (although more of them are just showing the real URL right from the start).4. Stressor eventsIn almost all social engineering scenarios, online or over the phone, the attacker uses a \u201cstressor event.\u201d The stressor event is some pending emergency that if you don\u2019t act right away and in the right way (according to them), then something bad will happen. Examples include:Provide your logon credentials or your account will be permanently locked.Run a (fake) software update or your stored content will be removed.Provide proof of ownership of your account\/credit card\/bank account information or it will be permanently closed.You\u2019ve been detected and filmed surfing porn, which they will show to the world.A fine payment is needed immediately or you will be reported to the police and go to jail. (Who knew the IRS accepted WalMart gift cards as payment?)A payment that is immediately needed or a business deal will fall through. Roger GrimesExample of a stressor eventThe idea is they want to give you less time to think when responding to a possibly suspicious request. A phone caller once claimed to my wife that I was kidnapped and being tortured, and they pretended to be me yelling in pain from the \u201ctorture.\u201d I was surprised when I returned back from a short trip to the store to have my sobbing wife hug me as if I had escaped some terrible event. That one was scary because the caller must have seen me out of my house and knew my home phone number (back when we had such things.) These sorts of scams still routinely happen.As soon as you see a stressor event, slow down, stop and think. Real-life stressor events rarely use excited language. For example, even if the IRS or police want you to pay something to avoid some worse outcome, usually the warnings come in such staid language that you could almost be forgiven for mistaking them for mass email marketing flyers.5. Sender has two email addressesAlthough it\u2019s not a 100% guarantee, any email arriving with a different display address (RFC 5322) and return address (RFC 5321), is likely to be malicious (see example below). Roger GrimesDo the display and return email address domains match?Having two different email addresses is a common phisher trick so they can present one email address (which looks legitimate) and another \u201creal\u201d email address to which the email really belongs. Legitimate marketing and support emails will sometimes do this, but in most cases, seeing two different email address on the sender line indicates maliciousness.Also, look out for emails from someone you know when it comes from a new, strange, or unexpected email address. Phishers sometimes claim the CEO is emailing you from their home account, using a Gmail\/Hotmail\/Yahoo email address that has the CEO\u2019s name in the sender line.6. Change in banking or wiring instructionsBusiness email compromise (BEC) scams are a $26 billion problem and they are surpassing ransomware as the top social engineering scam. Most come in as fake invoices, often with requests to send the money to a new bank account or as an email to update existing bank wiring instructions. Some of the scammers break into a trusted third party whom you regularly pay, send you a change in wiring instructions, and then simply wait for you to pay the regularly scheduled invoice payment.The victims often do not know of the scam for months until one of them prods the other about the unpaid, overdue balances. Any email, legitimate-looking or not, that requests a change in payment instructions should be immediately followed up by a phone call to the party supposedly requesting the change.7. Uses wrong nickname or full nameThis is a small hint, but it works. Many phishing scams have been caught simply because the receiver noticed that the sender used their full, formal name (e.g., William B. Montague), when they usually signed off their email with a nickname or shorter name (e.g. Bill). Or the person didn\u2019t finish their email with their name when they usually do, or vice-versa. Or they didn\u2019t put the person\u2019s name at the beginning of the email when they normally do, or didn\u2019t use the receiver\u2019s informal nickname, etc. The idea is that the attacker often doesn\u2019t know of the small informalities that usually accompany even pure business email. Take note of the little details. A deviation may save you a lot of headaches one day.8. Can\u2019t accept phone callsSocial engineering scammers often can\u2019t accept phone calls from you to verify a request. They usually claim they can\u2019t get to the phone, don\u2019t have a useable phone where they are, aren\u2019t allowed to use phones where they are, or some other excuse. The reason is they are usually a foreign person with a different accent than the person they are claiming to be.This is particularly the case with romance and dating scams (which are always looking for money). They claim they can only use instant messaging for myriad reasons. For example, they are elite trained military embedded \u201cin country\u201d or on a top-secret mission. This is pretty funny, because although they can\u2019t take a phone call, they can chat for several hours a day\u2026and receive money you send to them using a variety of methods.Be aware of any romantic interest who first approaches you, seems to have model-perfect beauty, and becomes overly intimate and falls in love with you in a matter of days. If it\u2019s supposedly a US military person, ask them to send you an email on the military .mil account. All US military people have .mil email accounts and their use is tied to highly secure MFA smartcards (known as CAC cards), so scammers can\u2019t use or get a .mil account. If someone claims to be from the US military but can\u2019t send you an email from their .mil account (for any reason), run.The next two signs of social engineering are specifically related to selling or buying items from an online site.9. Buyer is too accommodatingAnyone new to buying and selling things online on a site designed for such things (e.g., Craigslist or eBay) may not know that these services are hotbeds for scam artists. Typically, they are among the earliest replies trying to buy your product or sell theirs to you. They don\u2019t try to negotiate price and are more than willing to pay for any incidentals, shipping, taxes and whatever else they come up with. If they are selling or renting real estate, they are offering far below market prices, but can\u2019t meet in person (they are usually out of the state or country on business).There is no such thing as a free lunch, but there is such a thing as a deal too good to be true. If the buyer or seller is not only paying you full price (or offering you a steal deal on something they are selling), and bending over backwards in other ways that are beneficial to you, it\u2019s probably a rip-off.10. Force you to go \u201coff-service\u201dMost online selling and auction sites are fully aware of the scam artists who target their sites and services. For that reason, they have built-in protections for buyers and sellers.Because of these protections work, the scammers encourage or force victims to go \u201coff service.\u201d They usually claim that doing so will save the victim money. They recommend the victims use their \u201ctrusted escrow service\u201d or trusted shipper. They say that instead of the victim using PayPal (\u201cwhich charges a fee\u201d), just let them send you a check that you can cash at your regular bank for no fee, and so on. Once the victim has gone off-service, the scammer can complete the rest of their crime with relative ease.I read of a woman who was selling her truck. Instead of using the online service to sell the truck, the scammers offered to show up in person and pay in cash. The people showed, gave her a (small) cash deposit, and left their licenses with the victim. They drove off to \u201ctest drive\u201d the vehicle and were never to be seen again. They got a $40,000 truck for $400. Of course, the licenses were fake. Not a bad day\u2019s work if you can get it.If someone attempts to move you off the service or site where you were intending to buy or sell something, be suspicious. Better yet, don\u2019t follow the instructions or get involved.These 10 signs of social engineering are among the most common ways criminals try to scam you. The common problem is that email, SMS and telephones are not well authenticated by default. Anyone can claim to be anyone on most services. More built-in, required authentication is coming. Until then, be skeptical of these signs and force anyone \u201caccidentally\u201d using one of these signs to prove that they are legit.