Social Engineering and Your Browser
In recent years, economic scandals have rocked the financial world. Both individual consumers and corporate businesses are officially on alert to guard against scammers who want to prey on their assets. With the $50 billion Bernie Madoff scandal, the world at large learned that vast numbers of people can be easily fooled by individuals who gain their trust. Now, with the increased connectivity of the Internet, it’s easier than ever to come into contact with individuals who ultimately might want to prey on us. Social engineering is the expression used for the common practice of manipulating individuals to perform actions or release sensitive data that typically they would keep confidential.
The Internet Browser: An Open Door?
The easiest way for criminals to gain sensitive information about us is through our Internet browsers. As a result, menaces such as identity theft have gone from being a minor irritation to a virtual plague. What methods are generally employed in social engineering attacks? They typically fall into three broad areas:
- Spear phishing
- Internet scams
If you're caught off guard, these threats can turn your browser into an open door to Internet thieves.
Phishing attacks can come in a variety of forms. For example, you might receive an e-mail stating that you need to reset your login information for your PayPal account. Conveniently, the address to accomplish this is right there. It might look something like this: http://www.paypal.com/changelogin.html. Then when you click the link, you're taken to a website that only looks like the intended site and has been put up as bait for unsuspecting individuals. A variation of this (again using a phony website) is to alter the address bar in the browser so that it appears that the website you’re looking at is the genuine one. In both cases, criminals hope you will enter your account information so your identity can be stolen.
Similar to phishing, spear phishing targets specific individuals in corporations or businesses with lots of employees. The goal here is the same as phishing: getting you to release sensitive data. The email might come in the form of a request that appears to come from the HR department or the IT department asking for all the company users to email their account information. Or it might appear to come from an employee who "accidentally" mailed the entire company a bogus attachment. As it turns out, this attachment actually contains malicious software, such as a virus or Trojan, that is working behind the scenes to collect private company information. Clicking on it releases this information to digital thieves.
Have you heard this before? There’s money for you to get in a foreign land. The head of some financial institution has a problem that he wants you to help out with and, as a result, he’ll split a large sum of money with you. Whether it’s winning the lottery, inheriting money, or dispensing unclaimed assets, the scammers are targeting one thing: easy money. With this ploy there is a common thread. Someone from far away is trying to get you to send them money for nothing.
One man I know received an email that went like this: We would like to stay at your cottage. We’re going to pay you in advance for the rooms. The owner agreed to this and received a check for a two-week stay. He deposited the check. Soon after he deposited it, he received another email stating that they had changed their plans and that they were going to stay only one week and they asked for a refund. He told me that they kept badgering and prying for the refund until finally he wired them half the money back. A few days later, his bank told him that the check he deposited did not clear. The guests never showed up and they walked away with the money he sent them.
More examples of real-life scams that are posted online can be found at http://www.craigslist.org/about/scams.