Social engineering: why people give money to scammers themselves

[Father]

The great schemer Ostap Bender honored the criminal code. He preferred psychological tricks to banal robbery, so that the victims of his charm voluntarily give the keys to the apartments where the money is. Later, a special name was invented for such machinations - social engineering. We will tell you what schemes social engineers use today and how to protect yourself from them.

Who are social engineers?
In a broad sense, these are specialists who know how to manipulate others. But we usually hear about those social engineers who, with the help of psychological tricks, lure money or data to access someone else's account.
According to statistics, in most cases, people do not lose their savings because their accounts are hacked. The owners of bank cards most often provide the fraudsters with their full details, including the number, expiration date, three-digit CVV / CVC code, as well as passwords and SMS codes that banks send to confirm transactions.
If you yourself have transferred secret data to the fraudster, the bank is not obliged to compensate for the stolen goods.
Even the smartest and most cautious people sometimes fall for the crooks. We analyze the most common psychological tricks used by scammers.

Build trust
Fraudsters are often presented as those from whom people do not expect a dirty trick: employees of banks, tax services, law offices and other official organizations.
A social engineer can pretend to be your friend or relative, for example, by hacking or duplicating their social media accounts.
Usually, before making contact, social engineers try to find out as much as possible about the potential victim. They find out a person's data, most often using phishing sites. Or they buy ready-made information bases with personal data that have leaked into the network.
Often, people themselves publish phone numbers, email addresses, and even post photos of their bank cards on social networks.
This information is not enough to steal money right away. But quite enough to start a conversation and lull the vigilance. When fraudsters refer to people by name and patronymic, they themselves call a card number or other confidential data, it seems that they really represent a familiar organization or person.

Fake phone numbers, documents and websites
It is often difficult to immediately guess that you are dealing with scammers. They know how to masterly disguise themselves:

• They replace the number from which they call or send a message. With the help of special software, they manage to hide the real number, and on your screen during their call, for example, a familiar bank phone number is displayed.
• Forging documents: using Photoshop, criminals create fake tax notifications, fines receipts, apartment bills and send them to their home address, via SMS or e-mail. If a person pays for such a notification, all the money will go to the scammers:

“Yesterday I received a letter, allegedly from the tax inspectorate, demanding to pay tax dues. The letter is very similar to the original one, it contains a QR code for entering data from a smartphone. The first thing that caught my eye was the unusually high amount of tax collection ... "
Be vigilant, do not step on someone else's rake!

• They copy the websites of banks, microfinance organizations, insurance companies, popular online stores, as well as ad portals and payment pages. Fraudsters expect that the user will either immediately transfer money to their account, or leave confidential information on his bank card.

For more information on how to recognize a fake page on the Internet, read the text "Phishing: what it is and how to protect yourself from it".

Intimidate by losing money
Arousing fear is half the battle for a deceiver. A frightened person is much more suggestible. For example, a fraudster calls "from the bank's security service" and reports that a suspicious transaction is being carried out on the card "right now".
The confused "client" is offered to urgently name the three-digit code on the back of the card in order to cancel the transaction. Or transfer money to some "safe account".
If a person succumbs to panic and follows the instructions of the "experts", then, unknowingly, he himself will send all the savings to the scammers.

Lure with a win
Fraudsters actively exploit people's desire for easy enrichment. They create special sites with attractions of unprecedented generosity. For example, they offer to take a survey with a tempting monetary reward or take part in “win-win” contests, receive social benefits or tax refunds.
Scammers advertise these sites on social networks, send them in instant messengers, e-mail and SMS. Often, such advertisements are accompanied by photographs and glued cuts from videos with media persons who encourage people to participate in this scam. By clicking on the link to the site of the competition or lottery, a person sees a lot of enthusiastic reviews from those who allegedly have already received their money.
“I took part in a contest on the social network Instagram about a month ago, where the prize was any item that I choose, posted on the page. I chose a thing, wrote to the organizers, after which I was offered to pay for delivery in the amount of $ 10 ... "
Be vigilant, do not step on someone else's rake!
However, in reality, instead of cash prizes, people will only face losses. The organizers of the scheme, under various pretexts, ask them to enter card details in order to pay a symbolic tax, the services of "lawyers" or a participation fee. The main danger lies not in the loss of an insignificant amount. After a person leaves confidential information on a phishing page, scammers gain access to the money in his account.

To restore justice
As a rule, scammers maintain databases of people who have already succumbed to their deception once and may again fall for their tricks. Those who have lost money on financial pyramids, pseudo-lottery and other scams are offered "compensation" by scammers.
The goal is still the same - under the pretext of paying for "services of a lawyer" or "commission for transferring money" a person is persuaded to indicate the full details of the card so that he again gets a chance to lose his money.

Use loud news stories
Fraudsters are becoming more active against the backdrop of various disasters, natural disasters and epidemics. For example, during the coronavirus pandemic, fraudsters collect money "for the development of a vaccine" under the guise of the World Health Organization.
Social engineers monitor news and sentiment and quickly adapt to the current situation. During the period of self-isolation, they send everyone SMS about a “fine” for violating quarantine with reference to non-existent laws.
On behalf of the airlines, they offer "compensation" for canceled flights in exchange for secret bank card details.
The most desperate dress up in protective suits and go from door to door. They tell people that their neighbors have "tested positive for coronavirus." Therefore, they should also take the test - for a reasonable fee. You can wait for the results of a smear indefinitely, scammers are only interested in paying for their visit.

Don't give time to think
Fraudsters deliberately rush and press to deprive a person of the opportunity to make an informed decision in a calm environment. They demand to immediately transfer money, urgently pay for any service, "as soon as possible" to give a secret number, password or code.
“An unfamiliar man calls and says that he sent me $ 500 by mistake. He asks to send them to him by the card number, which they say will now dictate. I figured it was a divorce and hung up. I check the mobile bank, and the money really came. Then that man calls again and starts yelling into the receiver ... "
Be vigilant, do not step on someone else's rake!
If you feel under pressure when you are trying to make any financial decision, this is a sure sign that you are dealing with scammers. If you have the slightest suspicion, hang up and call the bank by calling the hotline yourself - it is on the organization's website and on the back of your bank card.

How to protect yourself from social engineers?
Swindlers constantly come up with new deception schemes. The only way to avoid financial losses when meeting with scammers is to critically take any offers, double-check the information and never rush into making financial decisions.
Follow the basic rules of financial security:

• Do not under any circumstances tell anyone the full details of the bank card, including the three-digit code on the back; as well as PIN codes and passwords from SMS from the bank.
• Do not follow dubious links from messages and do not transfer money to strangers on demand.
• Do not store a lot of money on the card that you use to pay on the Internet: put only the amount that you are going to spend at the moment. In this case, even if scammers try to steal money, they will not be able to withdraw too much.
• Having received a sudden call from any financial institution with an urgent question or offer, hang up and call there yourself, finding the number on its official website. Please dial this number manually. If you are contacted from a company you are not a client of, first check it with a directory of financial institutions.
• Do not immediately agree to any "tempting offers" - be it a "profitable loan" or a sudden compensation. Give yourself time to think, consult with friends, browse the Internet for information about the company and the "unique action" that it advertises to you.
• Do not publish your personal data in the public domain: phone number, home address, passport data. Fraudsters willingly use this information in their scams.

If you are faced with a fraudulent scheme, tell us about it in our fraud section. Share your experience to prevent scammers from enriching themselves at the expense of other people.
What to do if the criminals still managed to get access to your accounts, you can learn from the text "What to do if money was stolen from a bank card".

 

[Teacher]

Social Engineering - An Introduction to the Art of Deception
Salute to those who like to fuck up someone else's account, in this article we will raise the topic of social engineering (SI). After all, only with the help of SE knowledge and skills can you realize your technical skills and knowledge.

If we attack the database, then we have a certain percentage of people who will click on the link and enter data. This can be 5-10-50% of the total amount. It all depends on our training and knowledge of the target audience.

It's a completely different matter when you need to get access to a specific person or company. In most cases, you can't just send left-hand messages to social networks and mail. It is very important to use C to gain trust or use one of the techniques. To do this, I wanted to talk about possible techniques that Kevin Mitnick describes in detail in the book "The Art of Deception".

And before analyzing specific schemes, I want to add a quote: "The human factor is truly the weakest link in security."

Scheme 1: Do no harm
At the beginning of the book, it is very well described that you need to work carefully with the participants in the process. A social engineer needs to make a lot of calls and send enough emails, and at certain points our target may become suspicious. It is considered that the attacker burns the source if he lets the victim know that an attack has taken place. This information can be passed on to the management, security service, etc. After that, it is very difficult to use this source for future attacks.

You always need to monitor the mood of the person on the other end of the line. From the state of "I trust you completely" to "I will contact the police". You should also pay attention to how the person answers the questions. If you understand that there are doubts and suspicions, then you need to reduce the number of questions to the victim and use the "last question" technique. The second question is an opportunity to understand from the tone of voice whether a person is suspicious of such a call.

Legend. A strong justification removes suspicion. You can say that you need this information to write a research paper from a university or conduct a social study. Your legend should inspire confidence and be as close to the truth as possible.

2-3 additional questions at the end. Be sure to ask a few additional questions after receiving the necessary information. Even if after some time there are suspicions, the victim will remember these last 2-3 questions.

Scheme 2: Getting information
To communicate with employees of companies or a goal, you need to know as much information as possible so that our goal has confidence in key characteristics. Sometimes to get all this data, you need to make several calls and collect all the information bit by bit. To do this, you need to prepare well and take into account the recommendations.

To get contacts, you can call the company where the victim works and present a legend about how you worked with a certain department or a specific person, but then lost contact. There is nothing suspicious about this, and for the company, customers=money. And in most cases, the right contacts will be shared with you.

In all conversations, it is necessary to have a friendly tone and use professional slang. This allows you to get minimal trust among the company's employees.

Ownership of corporate information. Thus, you can increase the level of trust by knowing the names, structure and positions of employees, as well as certain working conditions, the name of servers, certain procedures, etc.

Scheme 3: "Working with certain employees of the company"
Very often, the victims of social engineers are new employees and service personnel who do not have access to computer systems and networks. New employees always want to help and prove themselves, so they are well connected and may not know all the rules of working in the company.

Those on duty or other employees can take out printed material that will be very important, without suspecting any danger. In the book, this is described in the story with the reference book of test numbers, which was obtained by simple deception. The social engineer called and introduced himself from the phone magazine publisher and indicated that he would not be able to give a new issue until he received the old one. Thus, the magazine was left out of the door and successfully received by the social engineer.

Do not grant access to computer servers and systems to new employees without providing training on how to work with information, systems, and networks.
Absolutely all employees should be trained in information security, regardless of whether they have access to automated systems or not.
All information must be classified. If the information is not specified in the company's information security policy, it should be classified as confidential.
Safety training should emphasize: when in doubt, check, check, and check again!

Scheme 4: "Let me help you"
This is a very efficient scheme. People are subconsciously grateful to those who are willing to solve their problem. And social engineers use this moment to their advantage. They know how to create a problem and then provide a solution. After expressing gratitude, you can deliver the necessary virus or get the necessary information, because no one suspects of any threat.

Chapter 5 perfectly describes the story when a social engineer called one of the employees and introduced himself from the technical support service. He pointed out that it is possible to turn off the Internet and if this happens, then you should contact a specific phone number. After that, the social engineer called back to technical support and asked to disable access to his computer, introducing himself as an employee of the company. The scheme worked and the target called back at the number left.

Don't involve employees from outside who can solve your problem. It is worth paying close attention to the issues that were discussed earlier. Or someone warned you and specified the number for requests.

If it so happens that you had to attract employees to solve the problem from outside, then you don't need to perform any actions after the problem was resolved. Especially if a person asks you to enter commands on the command line or run a file.

The scheme with a simple request for help works quite effectively. By nature, people tend to help others. Usually, a social engineer puts himself in the "I'm in trouble - I need help" position. The better your "trouble" is thought out, the more likely it is to succeed.

The book describes a good example of an attack at a time when it was snowing and there was a bad situation on the roads. Then the social engineer took advantage of the situation and used the poor conditions on the road as a misfortune and asked for access to work from home. This method was used to bypass two-factor authentication.

Companies need to use the employee number directory. You need to keep it as confidential information. Then you can check the information and find out if the caller is really an employee of the company.

It is necessary to develop a procedure that accurately describes the situation of granting access to a particular system. To do this, you need to take into account access levels, information security policies, and so on.

You should always pay close attention to such requests. After all, in this story, the manager himself confirmed such a request and "helped" the social engineer get access.

Conclusion
Despite the fact that the book was issued in 2004, many techniques are still relevant today. The main thing is to have an idea of how it works in practice. Thus, you need to pay close attention to various types of requests and information, as among them there may be attacks from social engineers.