Computer-based Social Engineering:
Out of the blue you receive an email informing you about a large sum of money that is trapped in a
foreign bank account a wealthy politician has died leaving a large sum of money. The sender is asking
your help to transfer the money out of the country. You will receive a huge reward as well. The sender
asks you to give them your bank account details to transfer the money then asks you to pay transfer
fee/tax to transfer money out of the country. This fee may start with a small amount but will increase. The
criminal will make up new fees that is necessary to be paid to receive your reward. It does not matter how
much you pay, you will never receive your reward. This is a “scam” a type of social engineering and this
particular scam is commonly known as “419 scam” an advanced fee fraud.
Criminals can use sophisticated attacks to gain access to your computer or trick you and obtain money.
But they have another easier and non sophisticated tool in their arsenal called “social engineering”. Social
engineering uses human interaction(social skills) and obtains confidential information. The obtained
information is then used in accessing the user accounts or according to the above example the user is
tricked in obtaining money.
Social engineering attacks may be divided into two categories.
- Computer based social engineering.
- Human based social engineering.
Computer based social engineering attacks may include the below.
Emails sent by scammers may have attachments that include malicious code inside the attachment. Those
attachments may include Keyloggers to capture users passwords,Viruses, Trojans, or worms.
Attackers will trick users to click on a link or download a file then click on it, the executable file is a
worm and will propagate from computer to computer copying itself.
A well known example is the “LoveLetter” worm that comes as an attachment in an email. The email
requests the user to open an attachment in an email. When the users opens the attachment the worm
copies itself to all the contacts in the users address book. This worm overloaded a huge number of email
servers in the year 2000.
Sometimes pop-up windows can also be used in social engineering attacks. pop-up windows that
advertise special offers may tempt users to unintentionally install malicious software.
This type of social engineering attack commonly uses emails to trick users in getting credentials to their
bank accounts or maybe email accounts. The email mostly claims to be from a well known source, a
highly reputed organization, and asks the user to click on a link that takes the users to a site similar to the
organizations web site but this site is a fraudulent website that harvests users credentials. The fraudsters
use these credentials to gain access to bank or email accounts and steal important information and money.
How to avoid being a victim
Do not input confidential information into websites without checking the website security.
Make sure the site is legitimate by checking the URL of the web site.
Do not click on links inside suspicious emails.
Fraudsters may even use events such as natural disasters(Asian Tsunami, Hurricane Katrina) or
popular events(Olympics) for their benefit, be aware.
If you are unsure of the legitimacy of an email try calling the company directly with the use of
contact information used previously.
Do not click or download suspicious attachments from email senders that you have not heard
Use email filters, firewalls,virus guards to reduce the threat.
When you are on the web, be aware that pop-ups that advertise bargains may request you to
install malicious software to claim prices.
What can you do if you are a victim
If you think you have entered your user id and password to a fraudulent website change your
password as soon as possible.
Inform the necessary authorities of the fraudulent object.
If financial information have been compromised, close down or lock account to prevent harm.