How to Avoid Falling for a Social Engineering Attack

A brave writer from Wired wrote about how she fell for a social engineering attack due to what she dubs “an academic vanity honeypot” on Twitter. Virginia Heffernan describes the instance here:

“Yes sirree, Lawrence Henry Summers was just casually DM-ing me, because, well, he’d read an article of mine and found it astute. And now Larry Summers wanted feedback from me on an article of his…

I was a new caliber of flattered; maybe inebriated.”

Her excellent article – seriously, go read it right after you finish this one – is refreshing and sobering and we need more like it. You see, most people who fall for any online scam or social engineering attack hide in shame and keep that news as private as they possibly can for fear of looking foolish.

But the reality is that many, many people fall for these attacks. That’s why attackers keep doing them to get what they want. It works.

No Shame, Just Learning

How can we learn from these mistakes unless we discuss them openly and transparently, without shame? There’s a longstanding trend in our industry to focus on attribution after a breach or hack happens. We want to know who did it. Was it a nation-state attack? Was it just some low-level attacker who bought some cheap, run-of-the-mill ransomware as a service (RaaS) online and got in through the front door by pure luck?

The problem is that the “whodunnit” isn’t really all that important. Sure, if you’re trying to get justice or you’re working with legal authorities, it makes sense to try to chase down who attacked you. But, as an industry, we need to refocus on how the attacks happened. In this case, Heffernan uses a heavy dose of self-deprecation to help teach Wired readers about how she fell for this type of attack: pure vanity.

Successful attackers know how people work and they know how to exploit our human weaknesses. You don’t have to be a psychiatrist to know that you can take advantage of a person’s pride and ego in order to scam them. It’s the equivalent of putting a huge chunk of Gouda on a mouse trap. The technique works because we fall for it – again and again.

More articles like this, directed at the general public but applicable to employers and employees too, will go a long way in helping spread awareness about social engineering attacks. Rather than being ashamed that we (or our company) became a victim, we should instead openly discuss these events with those around us so that others may learn from our mistakes. Bravo to Wired and Heffernan for this great article!

Other Types of Internet Scam

The ‘vanity honeypot’ is just one trick social engineers use. Watch out for these popular scams that are doing the rounds right now:

Tax season scams – This can take many forms, but is usually most prevalent right before tax season. To give one example, a phishing email is sent to the target containing a malicious link. The email purports to be from the Tax Board, the IRS, or even the user’s own CPA. Most commonly, these emails will say that they need more information from the user, or that something is wrong with their tax records, or that they over/underpaid last tax season, and request they ‘click the link’ to login to their tax/IRS account and fix the issue. (Spoiler alert – the link does not lead to the legitimate site).

Romance scams – In this growing and particularly ruinous threat, Internet crooks pose as desirable single women or men in an attempt to con people into falling in love with them and then attempting to scam money from them. This scam is particularly cruel and usually targets recently devorced men and women. It can lead to those scammed parting with particularly large sums of money as the attacker plays on the person’s desire to connect with another person and their altruistic desire to help someone in need. The FBI reported losses exceeding $230M in 2016 from romance scams, from just 15,000 cases, so this method of social media scamming is among the most successful for crooks.

LinkedIn scams – Typically, a connection request is sent from a fake LinkedIn account to employees of the company an attacker is targeting. In his/her Employment section, the scammer lists the company they are targeting and makes their job sound plausible, for example, posing as a Marketer at a PR firm. They know that employees are less likely to question a connection request from a person from their own company. The more people fall for the scam and add the scammer as a LinkedIn connection, the more legitimate their profile will look and the greater success they will have targeting others. Once they have lots of ‘inside friends’, the scammer will attempt to strike up a conversation with their new buddies to gain insider knowledge about the company which they can then use in an attack.

Facebook scams – As above, but the scammer uses info gained from reading their target’s Facebook account to make a customized fake profile that is irresistible to the person, based on their exact interests (for example, images displaying great wealth, fancy cars etc., or even posing as a humanitarian who rescues stray cats in the person’s local neighborhood). Once the target adds the scammer as a Facebook friend, they will spin a web of lies in order to attempt to trick the user out of money or bait them into revealing useful facts that they can use to ensnare the user’s friends as well. They may also send malicious links in Messenger to attempt to take over their account.

Red Flags to Watch Out For

Nobody is completely immune to falling for trickery, and as scams get ever more creative and technologically complex, be sure to read up on these case studies to avoid becoming a victim.

Here are some additional tips that may help:

  • Tax Scams: Remember: the IRS will NEVER initiate contact with taxpayers via email, text or social media channels. The IRS does the majority of its business via regular mail delivered by the United States Postal Service. If you get a message from the IRS via any alternative channels asking for your personal info or claiming you owe them money, it's not from the real IRS. If they threaten you via any channel with police, bank or immigration action, it’s not the real IRS. If they insist you pay right now, over the phone, with a gift card or credit card, it’s not the real IRS. If they do call you about an urgent matter, you will usually get several letters (“notices”) in the mail first as they attempt to reach you. Here’s a handy guide on how to tell whether it’s really the IRS contacting you.

  • Social Media Scams: Download the person in question’s profile picture. Then use Google Images’ Reverse lookup feature to see if their profile picture or other account images exist elsewhere on the web. If they do, you can visit the original posting site (click ‘visit’ in the search results) to see if it’s the same person. Fake users/ profiles usually plunder real online accounts of innocent strangers to get complete sets of pictures to use for their fake profile. They may even duplicate/clone a real account in every last detail for an extra sense of legitimacy.

  • Phishing Scams: Phishers have one goal: to gain your trust, then fake a crisis that only you can save them from by sending money. It may be weeks or even months before they strike, but they will eventually strike. The moral is to never, ever send money to someone you have never met in real life (phone calls don’t count – the person on the line could be an actor or the scammer could be using voice changing software). If a person seems legit online but constantly makes excuses about why they can't meet up in real life, exercise extreme caution. 

  • Scammer Red Flags: If you tell a scammer “No” when asked to send money to help them through a crisis or unfortunate life event, and they become angry or abusive, that is a huge red flag that they are not who they say they are. A real person would have a more realistic response, such as apologizing for asking, showing remorse/ guilt, or thanking you for just listening.

Above all, trust your gut. Remember the age-old adage – “if it seems too good to be true, it probably is.” If you just got fired from a bad job and suddenly a handsome young recruiter from your dream employer contacts you out of the blue with a job offer, it’s likely a scam. If you have been complaining online for months about your overdrawn bank account and a new Facebook friend suddenly offers to repay your debt if you open a bank account for their rich uncle from Zimbabwe and deposit “a small banking fee” – it’s a scam. If you’ve met someone great online whose profile says they have an advanced degree in English Literature but who sends you emails or texts riddled with typos, it’s a scam. Trust your instincts – you have them for a reason.