Does this sound familiar?
Dear Beloved Friend,
I am BakaraTunda, Prince of Nigeria. And I am in need of your help…
Hopefully though, you have never had to read further than those first few sentences. This is the beginning of what is known as the “Nigerian Prince” scam. Named because it has historically included someone posing as a Nigerian prince trying to get you to share personal/financial information. This is a type of phishing, a form of Social Engineering.
What is “Social Engineering”?
Social Engineering, in a cybersecurity context, are a set of methods wherein hackers use human interaction to get users to share personal information. As opposed to “traditional hacking” that many may be familiar with, where hackers use vulnerabilities in your computer system to extract information. Social engineering relies on the hacker’s ability to trick us into doing what they want. Phishing is typically the most common example of social engineering. It involves hackers sending out hundreds of millions of emails to various addresses using some pre-made template. In the Nigerian prince scam we saw earlier, the letter usually uses the pretense of a Nigerian prince in need of help to get you to reveal some level of personal and/or financial information. Other aspects of social engineering include, email hacking, pretexting, quid pro quo, and/or vishing.
These methods all typically involve the same elements. They introduce some type of hook that will try to capture your attention, and act as a pretense for their subsequent actions. They will then use this pretense to ask you to provide some level of personal information. Other, more sophisticated methods now include capturing IP addresses, metadata, downloading malware, and even tracking the keystrokes you make on your keyboard. All of this is to build a “profile” for the targets of these social engineering attempts. So that they may then use this information to extract additional information, or for outright theft.
What are some examples of social engineering?
There have been many reported cases of users succumbing to the techniques of social engineering and handing over personal and financial information to phishers. One of the more popular scams is called the “Netflix phish“. Where phishers send users an email that looks almost identical to a typical Netflix email. It would request something along the lines of validating payment methods, and lead users through a log-in process, and a series of forms where they are asked to hand over their credit card information. One of the reasons why this scam is so effective, is because the phishers are able to make their correspondence and website look almost like the legitimate thing. Through this method, phishers will be able to take your Netflix login information (which could be sold to “steal” Netflix), your credit card information, and signal you as a target for future phishing attempts.
Although, phishing need not be so technologically involved. Simple phishing via phone calls can also be horrifyingly effective. Such as the case in Hong Kong, where residents were tricked into transferring millions of dollars into phisher’s accounts. In this scam, phishers used a pre-recorded message and cold called hundreds of people impersonating the Hong Kong Immigration department. For the people who believed that the recorded message was legitimate, they would be instructed to press a button on their phone which would then connect them to someone impersonating a person of authority. From there, the impersonator would use whatever pretense to convince the user to transfer money into a bank account under the impersonator’s control.
How does this work?
By now you must be asking yourself, how can these techniques be so effective? The simple answer is scale. From the two examples we saw above, the initial point of contact (the email from “Netflix” or the message from the “Immigration Department”), is always automated. This means that phishers are able to able to send out millions upon millions of these messages to unsuspecting marks at little to no cost. They don’t need everyone to believe the message, they only need some to believe. And it is those people that believe that the phishers can then exploit.
As Robert Frank explains, a person who is gullible enough to fall for the initial Nigerian prince letter, is probably gullible enough fall for the rest of the scam. In the case of the fake immigration phone calls, within 2015 1,400 people fell for the scam. And while that may seem like a big number, think of the millions upon millions of calls that were probably sent out. If these phishers sent out only 1 million messages and 1,400 messages were effective, that’s only a success rate of a 10th of a percent.
How do I make sure that this doesn’t happen to me?
While the prospect of being a target of social engineering and phishing scams can be frightening, you are still very much capable of protecting yourself from falling prey to them. In this regard, the most important point to keep in mind is that the primary goal of social engineering is to trick you into voluntarily giving up your personal and financial information. So being alert whenever any of these types of transactions occur will already be a big step in the right direction.
You can do this by double checking that the emails you receive are from legitimate entities. Make sure that the messages you receive are from legitimate addresses. Make sure that whenever you are entering confidential information on a website that it is protected by a https encryption.
Another one is for you to paste the text of the email into a Google search to see if someone has received something similar lately. You may also use a VPN to spoof your IP address. As we have seen earlier, phishers are becoming more and more sophisticated in their efforts. Metadata such as IP addresses can help them gain valuable insight and further build out more effective ways of tricking you. VPNs encrypt your connection to the internet, and hide your IP address so that this does not happen. It is also just general good practice to use a VPN to secure your communication to the internet so that you are more protected against conventional hacking as well.
You may also refer to the guidelines set by the US Government on how to avoid being the target of phishing attacks for more steps on protecting yourself.
Social engineering relies on their ability to trick us into handing over our information. But if we remain vigilant, then these types of attacks will not be able to harm us.