Don’t Get Emotional!

Social engineers have many tricks up their sleeves, and we have covered many of them in previous articles.  The biggest trick is phishing emails, of course, coupled with replica landing pages on hijacked websites.  Other methods include phone calls, such as fake tech support calls.  There are texting hoaxes, called smishing.  There are fake, cloned, or hijacked Facebook, LinkedIn, Twitter, and Instagram account exploits.  Your social engineer may appear in person, too.

One sure sign that you may be getting played in a social engineering exploit is that there is a significant change in your emotional state.  Most of the time, most of us are operating in an emotional state that is neutral, or natural.  Neither too happy or too sad, not too excited or bored.  Nice and safe and in the middle.  If you are reading an email, a text, or a post, or having a phone conversation and your emotional state suddenly changes, you are probably being manipulated by a social engineer.  In fact, social engineers and other con artists count on using your emotions to motivate you to do something that is unwise, or not in your best interest.

So pay attention to your emotional state during the day.  Some of the emotions that are commonly used by social engineers are:

  • Romance – This is the hallmark of dating fraud, and can involve emotions such as flirting, infatuation, longing, and love.  If you just met your “soulmate” online, there is a possibility that they are just a con artist out to liberate your money.  If there are requests for money for air fare, or an investment in a business, or to repair a car, there is a good chance this is a fraud.  Romance fraud is the FBI’s number two cyber-crime based on money losses, over $360 million dollars in 2018.
  • Fear – Many phishing exploits generate feelings of fear.  You have a tax problem with the IRS.  Your Social Security Number has been used in a crime and will be cancelled. (BTW, this can never happen.)  Your computer is hopelessly infected with malware.  Your mortgage or electric bill is past due.  There has been a problem with a shipment.  These sorts of claims by social engineers are designed to make you fearful, and to take immediate action without thinking the situation through.  Watch out for fear, because it is the most commonly exploited emotion.
  • Kindness – Many social engineers will play on our better nature, knowing that most people are wired up to be helpful in times of crisis.  There will be a long sad story, and maybe even tears.  The goal is to get you to come to the rescue, whether it is a request for money, or perhaps just getting you to bend the rules a little bit.  A common exploit is to take advantage of a natural disaster or tragedy to solicit funds to help the victims.  Of course your kind donations go straight into the pockets of the fraudsters.
  • Urgency – The basic approach here is to get you to ACT NOW while there is still time.  This is often part of an email account hijacking exploit coupled with a wire transfer request from the apparent holder of the hijacked account.  This often appears as an email from the Boss, requesting funds for an emergency purchase of some sort.  Business email compromise (BEC/EAC in FBI parlance) is the number one cyber-crime in money losses, a staggering $1.3 BILLION dollars in 2018.
  • Curiosity – Curiosity killed the cat, and it is often part of a social engineering exploit.  It may play on prurient interest, such as a message offering nude pictures of yet another starlet.  Or it may be some other version of “check this out’ that directs you to a fake web page where you supply information or simply get infected with a malicious download.
  • Greed – You’ve won a lottery you never entered, or been honored with a cash grant from the United Nations for your “good work.”  A Nigerian prince needs your help laundering money for a ridiculous fee or percentage. In this exploit you stand to make a financial windfall somehow.  It may be as simple as a “free iPad” email, or it may be a more complicated advance fee fraud.  Greed or the desire for gain or instant wealth is a very powerful emotion that social engineers use all the time.  There is a well known case where a neurosurgeon fell for not one, but three different money scams, costing millions.  His son even took him to court to have him declared financial incompetent in an attempt to stop the flow of money..

Be aware that most of these scams rely on more than one emotion, they may be playing with two or more emotions in order to set the hook more deeply.  So if an email arrives or a phone call comes in that causes a dramatic change in your emotional state it should be a red flag.  Step back, disengage or hang up the phone, take a deep breath, and think about this for a few minutes.  Involve a family member or coworker, see what they think.  Check it out a bit.  Is this real or not?  In a business setting, you should report these exploits to your IT department.  No matter what, give yourself time to consider whether you are being set up by a social engineer.

More information:

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.