Blog Layout
Social Engineering Scams are Far More Reaching Than Just Email
Social Engineering Scams are Far More Reaching Than Just Email
What is social engineering?
In computing, social engineering refers to the methods cybercriminals use to get victims to take some sort of questionable action, often involving a breach of security, the sending of money, or giving up private information. These actions tend to go against our better judgment and defy common sense. However, by manipulating our emotions—both good and bad—like anger, fear, and love, scammers can get us to stop thinking rationally and start acting on impulse without regard to what we’re actually doing.
To put it simply, if cybercriminals use malware and viruses to hack our computers, then social engineering is how they hack our minds.
Social engineering is always part of a larger con, taking advantage of the fact that the perpetrators and their victims never have to meet face to face. The main objective usually involves getting the victims to:
Give up usernames and passwords.
Install malware on their device.
Send money via electronic fund transfer, money order, or gift cards.
Authorize a malicious software plugin, extension, or third-party app.
Act as a money mule for the purpose of laundering and transferring illicit funds.
“If cybercriminals use malware and computer viruses to hack our computers, then social engineering is how they hack our minds.”
What are the types of social engineering?
Here are six common online scams that employ some form of social engineering.
Email phishing is the most common type of attack that features social engineering. The target receives a spam email spoofed to look like it was sent by a company or organization the target trusts. These emails are remarkably easy to create nowadays using off the shelf phishing kits that contain pre-designed email templates that look like they’re being sent by Apple or Amazon or some other well-known company. The email contains a link to a phishing site designed to collect usernames and passwords.
Trojan refers to any kind of malware pretending to be something it isn’t. Just like the Trojan horse of Greek fame, computer Trojans contain a destructive payload. Email attachments containing hidden malware are a form of Trojan. The trick, as it applies to social engineering, is when the email appears to originate from a trusted sender such as a coworker, friend, family, or company you do business with.
Spear fishing is a type of phishing attack that targets one person or a small group of people. Unlike a typical phish, which is purposely generic and sent out en masse to as many emails as possible, a spear phishing attack requires a little due diligence on the part of the scammer. Scammers will look up the target’s social media accounts and use information gleaned from photos, relationship status, birthdates, places lived, job history, and any other public info they can use to give credence to the scam.
SMS text message phishing (smishing) is a type of phishing that occurs over your tablet, smartphone, or smartwatch. It’s true, phishing happens outside of email. Victims typically receive a text message from an unknown sender informing them of some special offer or contest they’ve won. The text includes a link to a spoofed site designed to harvest login credentials.
Scam calls are the telephone equivalent of spam. Also known as vishing (voice phishing) or robocalls, scam calls are made using a computerized telephone dialing system. When the call is answered, the autodialer connects the call to a live person or plays a prerecorded message. Both are considered robocalls. While robocalls can be legal under certain limited circumstances, most are illegal and involve some ploy to steal the victim’s money, user credentials, or identity.
Tech support scams are an advanced form of social engineering designed to make you think your computer is infected with malware, when it actually isn’t, then extort money from you to “fix” it. The scam starts when victims land on a malicious website run by the scammers. These sites include malvertising designed to lock your browser and prevent you from closing out or navigating to another site. The malvertising generally includes some warning that your computer is infected with malware or your software is pirated along with a phony tech support number you can call to get help—but it will cost you. As it happens, Malwarebytes Browser Guard is the first browser extension smart enough to block tech support scams and it’s completely free to download for Firefox and Chrome.
What is the history of social engineering?
Social engineering is not new. Con artists and grifters have used social engineering since time immemorial to get victims to act against their better judgment and part with their money or divulge private information. Thanks to the Internet, however, criminals have access to a whole new world of potential targets.
The advance-fee scam is a great example of how an old social engineering ploy can evolve with the times and use technological advancements to horrible effect.
The scam has its origins in the late 18th century Letters from Jerusalem con. In the aftermath of the French Revolution, France’s prisons were filled with industrious scammers all claiming to be the valet of a French nobleman. While attempting to escape persecution (or execution) at the hands of angry revolutionaries, the valet hid his master’s treasure, only to be imprisoned before he could retrieve it. For a modest sum, the prisoner offers to provide a map revealing the location of the treasure. According to a contemporary account from one of the scammers, 20 percent of recipients responded to the letters.
The success of the Jerusalem scam gave rise to a 19th century variant known as the Spanish Prisoner scam, named after the supposed European nobleman at the center of the scam. The nobleman, as the scam goes, was wrongly imprisoned in a Spanish jail and needs the letter recipient’s help. In exchange for providing the funds necessary to secure the nobleman’s release, allowing him to return to his young daughter, the victim is promised a significant return on their investment, namely buried treasure or funds hidden away in a foreign bank account.
The Spanish Prisoner scam improves upon the Jerusalem scam in two major ways. Where the Jerusalem scam targeted victims seemingly at random, Spanish Prisoner scammers claimed to be a distant relative of the recipient, even going so far as to call out the victim’s deceased relatives by name in a kind of proto-spear phishing. Spanish Prisoner scammers also shifted the narrative focus of the letters away from the prisoner to the nobleman’s impoverished daughter. With these changes the story became less about personal enrichment or outright greed and more about compassion, appealing to a different and potentially broader group of victims.
The advance-fee scam continued to evolve through the late 20th century. With the rise of the Internet, advance fee scammers were no longer limited by the cost of a stamp or the number of letters they could write in a day. The Internet allows them to copy and paste a prewritten message and spam thousands of potential targets with a few simple clicks. In the past, scammers might’ve selected victims carefully based on factors like wealth and location. Victim’s today self-select. By simply responding to an email that was sent to thousands of other targets, victims reveal themselves to be susceptible to the fraudster’s proposal—however implausible it may be.
The modern version of Letters from Jerusalem, commonly referred to as the Nigerian Prince or 419 scam once again involves a mysterious stranger, vast sums of money, and an offer too good to be true.
In the first phase of the scam, the victim receives an email from someone claiming to be a foreign prince, government official, deposed leader, lawyer, banker, etc. with knowledge of a vast sum of money locked away in a foreign bank that the sender cannot access on their own. Accordingly, the sender needs the victim to act as a money mule; that is, receive a wire transfer of the money then wire the money back to the sender while keeping a large percentage of the total as a service fee. The sender may send follow up emails with official looking documents to help substantiate their claims. In phase two, the scammer introduces an obstacle. In order to unlock the money, the scammers need to bribe bank or government officials, pay fees, or pay taxes owed on the money, hence the name “advance-fee scam.” Of course, there is no money and the victim’s advance fee is lost via irreversible and untraceable wire transfer.
To be fair, not all advance-fee scams originate in Nigeria, though many do. Countries like Nigeria are just foreign enough to mystify westerners. While one might second guess an email claiming to be from a member of the British royal family, maybe Nigeria has a ton of itinerant princes wandering around looking for random American pensioners to help them unlock their trust funds. Who knows? Certainly not the victim. It’s precisely this naivete that scammers depend on to be successful.
As it stands, advance-fee scams remain a time-tested, profitable, and low-tech option for enterprising cybercriminals. According to the Federal Bureau of Investigation (FBI) Internet Crimes Complaint Center report, 18,463 Americans fell victim to advance-fee and romance scams in 2018 with total losses surpassing $362 million.
“Social engineering scammers are looking for the right target and the right emotional trigger.”
Examples of social engineering
Here are some real-world examples of social engineering we’ve reported on over at Malwarebytes Labs. In each example, social engineering scammers are looking for the right target and the right emotional trigger. Sometimes the combination of target and trigger can be hyper-specific (as with a spear phishing attack). Other times, scammers may go after a much broader group.
The sextortion scam. In this first example, scammers are casting a wide net. The target? Anyone who watches porn. The victim is notified via email that their web cam has supposedly been hacked and used to record them watching adult videos. The scammer also claims they’ve hacked the recipient’s email account, using an old password as proof. If the victim doesn’t pay up via Bitcoin, the scammer threatens to release the video to all the victim’s contacts. Generally speaking, the scammer doesn’t have video of you and your old password is from a previously disclosed data breach.
The grandparent scam. This scam has been going around for years and targets anyone with living family, usually the elderly. Parents or grandparents receive a call or text message from the scammer, posing as a lawyer or law enforcement. The scammer claims the victim’s relative has been arrested or injured and needs money to cover bail, legal fees, or hospital bills. In the case of the SMS text message version of the scam, merely replying ends up costing the victim money.
The Social Security Number scam. In this grift, things start to narrow as it only applies to US citizens. The victim receives a prerecorded robocall purporting to be from the Social Security Administration. The message asserts the victim’s SSN has been “suspended” for “suspicious trails of information.” Never mind the fact that your SSN can’t be suspended, if the victim falls for the ploy and returns the call, they’ll be asked to pay a fine to straighten everything out.
The John Wick 3 scam. Here’s a good example of spear phishing. In this case the scammers are after a very specific target: a John Wick fan who enjoys comic books, but prefers to read them on Amazon Kindle. While searching for John Wick comics, the target is offered a free download for the third John Wick film—at the time of the scam, the movie hadn’t been released in theaters. Following the link embedded in the movie description takes the victim down a rabbit hole of illegal streaming sites for pirated movies.
How to protect against social engineering
Turn your spam filter on. A lot of social engineering happens via email so the easiest way to protect against it is to block spam from making its way to your inbox. Legitimate emails will sometimes end up in your spam folder, but you can prevent this from happening in the future by flagging these emails as “not spam,” and adding legitimate senders to your contacts list.
Learn how to spot phishing emails. Talented scammers spend a lot of time spoofing emails to look like the real thing, but with a little due diligence you can easily spot the spoofs.
The sender’s address doesn’t match the domain for the company they claim to represent. In other words, emails from PayPal always come from example@paypal.com and emails from Microsoft always come from example@microsoft.com.
The sender doesn’t seem to actually know who you are. Legitimate emails from companies and people you know will be addressed to you by name. Phishing emails often use generic salutations like “customer” or “friend.”
Embedded links have unusual URLs. Vet the URL before clicking by hovering over it with your cursor. If the link looks suspicious, navigate to the website directly via your browser. Same for any call-to-action buttons. Hover over them with your mouse before clicking. If you’re on a mobile device, navigate to the site directly or via the dedicated app.
The email has typos, bad grammar, and unusual syntax. Does it look like the email was translated with Google Translate? There’s a good chance it was.
The email is too good to be true. Advance-fee scams work because they offer a huge reward in exchange for very little work. But if you take some time to actually think about the email, the offer is fake or outright illegal.
Turn macros off. Turning off macros will prevent malware-laden email attachments from infecting your computer. And if someone emails you an attachment and the document asks you to “enable macros,” click “no,” especially if you don’t know the sender. If you suspect it may be a legitimate attachment, double check with the sender, and confirm they sent you the file.
Don’t respond. Even as a joke, don’t do it. By responding to scammers, you demonstrate that your email is valid and they will just send you more. The same goes for SMS text message and call scams. Just hang up and block the caller. If it’s a text message you can copy and forward it to the number 7726 (SPAM), doing so improves your phone carrier’s ability to filter out spam messages.
Use multi-factor authentication. With two-factor or multi-factor authentication, even if your username and password are compromised via phishing, cybercriminals won’t be able to get around the additional factors of authentication tied to your account.
Install a good cybersecurity program. Mistakes happen. If you click a bad link or malicious attachment, your cybersecurity program should recognize the threat and shut it down before it can do any damage to your device. Malwarebytes, for example, blocks malicious websites, malvertising, malware, viruses, and ransomware with products for home and business. And for threat protection on your iPhone there’s Malwarebytes for iOS, which blocks pesky scam calls and text messages.
The period between Memorial Day and Labor Day is historically the most dangerous time of year for teen drivers. Some research shows up to 30% of all teen driving fatalities occur during the summer months. Teen drivers lack experience, and the summer months provide multiple reasons for increased risk. Not only is there more daylight and warmer weather, but most teens are out of school and have more free time to be behind the wheel. Here are five safety tips for your teen driver to practice, not just in the summer months but all year long. 1. Avoid Distraction . Research shows as high as 60% of all teen vehicle crashes involve driver distraction. One common misconception is that cell phones are the number one cause of distraction for teen drivers but that is actually not the case. Other passengers create more distractions for teen drivers than any other source. 2. Buckle Up . It is discussed so often that it may seem trite but seatbelt use is proven to reduce fatality rates in motor vehicle accidents. but data shows buckling up can reduce the risk of fatal injury by as much as 45%. 3. Impaired Driving . As high as 15% of all teen driving fatalities involve a blood alcohol content of more than twice the legal limit. 4. Limit Passengers. Most states, including Alabama, have graduated license laws restricting the number of passengers in vehicles operated by teen drivers. Literally all available data associates fewer passengers with lower fatality rates in motor vehicle accidents involving teen drivers. 5. Reduce Nighttime Driving. The fatal crash rate of 16-19-year-olds is nearly 400 times higher at night than during the day.
Identity theft affects millions of people each year and can cause serious harm. Protect yourself by securing your personal information, understanding the threat of identity theft, and exercising caution. Here are 10 things you can start doing now to protect yourself and your loved ones from identity theft: Protect your Social Security number by keeping your Social Security card in a safe place at home. Don’t carry it with you or provide your number unnecessarily. Be careful when you speak with unknown callers. Scammers may mislead you by using legitimate phone numbers or the real names of officials. If they threaten you or make you feel uneasy, hang up. Create strong, unique passwords so others can’t easily access your accounts. Use different passwords for different accounts so if a hacker compromises one account, they can’t access other accounts. Check out the Federal Trade Commission’s password checklist for tips. Never give your personal or financial information in response to an unsolicited call or message, and never post it on social media. Shred paper documents that contain personal information, like your name, birth date, and Social Security number. Protect your mobile device from unauthorized access by securing it with a PIN, adding a fingerprinting feature, or using facial recognition. You can also add a password and adjust the time before your screen automatically locks. Regularly check your financial accounts for suspicious transactions. You can also request and check a free credit report from each of the three credit bureaus every year: TransUnion , Equifax , and Experian . Avoid internet threats by installing and maintaining strong anti-virus software on all your devices—including your mobile device and personal computer. Use a virtual private network (VPN) to stay safe on public Wi-Fi. Do not perform certain activities that involve sensitive data, like online shopping and banking, on public Wi-Fi networks. Protect yourself on social media by customizing your security settings and deleting accounts you no longer use. Also, double-check suspicious messages from your contacts, as hackers may create fake accounts of people you know. Never click on any link sent via unsolicited email or text message—type in the web address yourself. Only provide information on secure websites.
Every accident case is different. Some settle more quickly than others. However, it is not uncommon, for a personal injury case to take a year or more to resolve after the case has been filed in court. Evaluating the Injury Prior to filing a lawsuit, it takes time to determine the full extent of your injuries. Doctors are often unable to give an opinion about the seriousness of an injury until your condition has stabilized. In serious injury cases, it may even take a year after the accident before your doctor can say whether or not your injuries are permanent. It is extremely important to take the necessary time to fully evaluate your injuries. You have only one chance to prove the extent to which you have been harmed. Once you accept a settlement offer, that decision is final. You cannot go back and ask for more money if you later find out your injuries are more serious. An experienced personal injury attorney knows how to keep your case moving through the legal system. Your personal injury case may move through these stages: 1. Written Discovery The written discovery period can last over six months. You will be asked to answer written questions (interrogatories) under oath. You will also be asked to produce documents or authorize others to produce documents such as accident reports and medical records. 2. Depositions During a deposition, you will be asked questions under oath. A court reporter types a record of everything that is said. Not only will you be questioned about the accident and your injuries, you will be asked questions about what your health, education, and work were like before the accident. 3. Mediation and Settlement The Court almost always requires a settlement conference or mediation before personal injury cases can go to trial. At mediation, a neutral trained mediator goes over the issues and evidence with the parties to help guide them toward a settlement agreement. 4. Trial If your case does not settle and goes to trial, a jury decides what your injury is worth. It can take eighteen months or longer to get the trial scheduled. Once the trial is over, there may be further appeals and motions. It's possible for the parties to settle the case during trial or even after trial in order to end an appeal. Your best strategy is to contact an attorney with experience in handling personal injury cases. Your attorney can give you an estimate about the length of time it takes to resolve your type of case. Also, ask your attorney to give you frequent reports on the status of your case so you know that your case is making its way through the legal process. It's understandable that you may be frustrated at the speed your case seems to be moving. However, you should never rush to take the first settlement offer made by an insurance company. The first offer is rarely your best settlement offer. .
Distracted driving has been on the increase for the last several years and continues to be one of the leading causes of vehicle accidents throughout the United States. If you are texting and driving down the highway at 55 mph, that’s like traveling the length of a football field with your eyes closed. You can only drive safely when your full attention is on the road. Any activity that isn’t related to driving is a potential distraction and increases your risk of a collision. While most research points to a mobile phone as the number one culprit, it is far from the only activity potentially stealing a driver's attention. Eating or drinking, grooming, radios, other passengers - especially children, and even pets can also be significant factors. Distracted driving accidents are preventable 99% of the time. Driving can become mundane at times, but we all must remember when driving we have an obligation to the safety of not only ourselves but those who ride with us and other drivers we share the road with. Some studies show listening to podcasts or certain types of music can enhance our concentration. It’s important to practice safe habits behind the wheel. You want to make sure that your passengers know how serious you are about driving without distractions. One of the most effective ways to lead is through example. Be a good example for your friends and family by avoiding driving while you’re distracted.
We see this question all the time. The injured party doesn’t want to use their own health insurance to pay for an injury. They believe it is the responsibility of the person at fault to pay for their medical bills. That may feel like the right position for an accident victim to take but the truth is, most of the time the injured party will end up with a larger settlement if they do, in fact, use their own medical benefits. Here's why; Health insurance companies have a negotiated price for medical services that is about 15 percent less than what people have to pay who don’t have health insurance. If your medical bills are $50,000.00 but Blue Cross Blue Shield pays $15,000.00 and the person who caused the wreck has $50,000.00 in liability coverage, that leaves $35,000.00 available for the injured party versus $0.00. Generally speaking, Blue Cross Blue Shield will reduce the $15,000.00 to $10,000.00 leaving $40,000.00 available. The point is that there’s more money available when you take advantage of your healthcare negotiated rates whether it’s United Health Care, Medicare, Medicaid, or Blue Cross Blue Shield. More money is better. Using your health insurance to pay your medical bills if you are injured, will almost always end up maximizing your settlement.
Once you reach the age of 65 you have many more options than before. As you know if you go on Medicare and you are under the age of 65 your options for health plans are limited. When you turn 65 you will have another open enrollment period to sign up for any plan you wish to get. In other words, just because you are already on Medicare does not prohibit you from having all the options a person not on Medicare and turning 65 would have.
This is one of the questions we get asked the most. In most cases, the answer to this is “no”. When you turn 65, if you are still working and on your employer’s health insurance plan you probably will not need Medicare Part B. I say probably because most employer plans do not file on Medicare if you have a claim. Because you have to pay a premium for Part B, Medicare does not require a person to sign up for Part B as long as you are on your employer’s plan. Also, because the rules can differ for companies with less than 20 employees, the safest thing to do is check with the benefits coordinator at your place of employment for guidance or call us at our office.
Social Security: 3 main reasons why the Government can deny Disability Benefits
For many working Americans, when the unexpected happens and they can no longer work due to a serious medical condition, Social Security Disability Insurance (SSDI) benefits can be a financial lifeline. Most American workers contribute to Social Security through federal payroll taxes. Social Security is designed for income during retirement years however if an individual’s working years are cut short by a severe, long-term illness or injury, they may need income before reaching retirement age. For many who find themselves in these circumstances SSDI provides monthly financial assistance. Seven facts every American should know about the SSDI program 1. SSDI is coverage that workers earn. If an individual has paid enough Social Security taxes through their lifetime earnings, SSDI is intended to provide support by replacing some of their income when they become disabled and unable to work. 2. The Social Security Administration (SSA) has a strict definition of disability. The SSA considers a person disabled if they can’t work due to a serious medical condition that is expected to last at least one year or result in death. SSDI is intended as a long-term solution and is not intended to offer temporary or partial disability benefits. 3. Disability can happen to anyone at any age. Serious medical conditions, such as cancer and mental illness, can affect the young and elderly alike. Studies prove one in four 20-year-olds will become disabled before retirement age. As a result, they may need to rely on Social Security disability (SSDI) benefits for income support. 4. SSDI payments help disabled workers to meet their basic needs. SSDI is not and was never intended to be a full wage replacement. The average monthly Social Security disability benefit is $1,280, as of April 2021, which is intended to allow an individual who has become disabled to meet their basic needs. 5. Social Security works aggressively to detect and prevent fraud. Every American worker who pays federal taxes invests in SSA. The agency is committed to protecting their investment by taking a zero-tolerance approach to fraud. The agency claims a fraud incidence rate that is a fraction of one percent. 6. SSA helps people return to work without losing benefits. Often, people would like to re-enter the workforce. However, many worry they will lose disability benefits if they try working again. They may also fear losing benefits if they are unsuccessful in returning to work. The agency has many programs designed to connect an individual to free employment support services while helping them maintain benefits, such as health care. 7. Millions of disabled Americans depend on SSDI benefits. Nearly 10 million disabled workers and their spouses and children receive benefits through SSA.
A circuit judge in Sarasota ruled Monday that the verdict in a legal malpractice case against the Morgan & Morgan law firm should stand. The judge also denied Morgan & Morgan’s motion for a new trial and another motion to reduce the $5 million award determined by the jury. Attorney Donald St. Denis of St. Denis & Davey in Jacksonville, who represented the plaintiffs in the malpractice lawsuit, said Friday he has a hearing scheduled Tuesday in Sarasota on a motion to award his firm $1.6 million in attorney’s fees and costs. “We’ve been working on this for two years. I’ve got a ton of time in this case,” he said Friday. St. Denis made offers on behalf of his clients in August 2016 and again in January 2017 for $2.5 million and $4 million, respectively, to settle the malpractice suit before going to trial, but Morgan & Morgan’s counteroffer was only $1,000, he said. Morgan & Morgan intends to appeal the jury’s verdict. John Morgan “This case is a long way from over,” John Morgan said Friday in an email response. “We defended this case because we think we are right. And we will continue fighting it because we still believe we are right. We fully expect to win outright on appeal and have a judgment in our favor entered by the appellate courts.” St. Denis represented Shawna and Rock Pollack in the malpractice action related to Morgan & Morgan’s handling of a personal injury case the couple filed after their child was permanently injured during birth. On Oct. 17, a jury in circuit court in Sarasota County found that Morgan & Morgan attorney Armando Lauritano was 100 percent responsible for Shawna and Rock Pollock losing their rights to a medical malpractice claim against a Sarasota obstetrics practice, a nurse midwife and the hospital where their child was born. The case began Nov. 2, 2006, when Shawna Pollock was admitted to Sarasota Memorial Hospital to give birth. After she was given a hormone to induce labor, the unborn infant began to experience slowed fetal heartbeat and Pollock began writhing in pain. By the time an emergency cesarean section was performed, Pollock’s uterus had ruptured, depriving the fetus of oxygen, which caused permanent brain damage. After the birth, the Pollocks contacted Morgan & Morgan. An investigator from the firm met the couple at Ronald McDonald House, where they were staying while their infant son was in All Children’s Hospital in Tampa. On Feb. 17, 2007, the Pollocks agreed to be represented by Morgan & Morgan. They agreed to pay the firm up to 40 percent of a recovery up to $1 million, 30 percent between $1 million and $2 million and 20 percent of recovery in excess of $2 million. St. Denis argued to the jury that Morgan & Morgan was focused on collecting a large fee for the child’s brain injury claim to the point that its representative failed to provide the required presuit notice of claims for injuries sustained during the delivery by Shawna Pollock, including that she no longer is able to have children. After it became clear that the baby would qualify for no-fault benefits from the Florida Birth-Related Neurological Injury Compensation Association, and after the statute of limitations period for submitting notice the Pollocks intended to seek compensation for their personal loss had expired, Morgan & Morgan withdrew from representing the Pollocks. The jury found that the OB-GYN practice, the nurse midwife and Sarasota Memorial Hospital were negligent in the care of Shawna Pollock. The medical practice and nurse midwife were found by the jury to be liable for $4.5 million in damages and the hospital was found liable for $500,000 in damages, if the Pollocks had not lost their rights to sue for damages. In its $5 million verdict, the jury further found that Lauritano was negligent in his handling of the Pollocks’ interests, that the Pollacks did not freely and intentionally give up their right to seek compensation from the physicians and hospital and that Lauritano was liable for the loss they incurred. original article https://www.jaxdailyrecord.com/article/court-upholds-dollar5-million-malpractice-verdict-against-morgan-and-morgan