Online scammers exploit predictable human vulnerabilities: starting scams in the physical world, customizing messages with victims' locations, appealing to vanity and self-interest, posing as familiar brands, exploiting link-sharing norms, and leveraging people's desire to feel secure. Understanding these tactics helps potential victims recognize when they're being manipulated.
This article was written in 2013. The specific scams and tools it references are historical, but the social engineering principles remain relevant today.
Researching online scams opens a window into the world of deceit, offering a glimpse into human vulnerabilities that scammers exploit to further their interests at the victims’ expense. These social-engineering tactics are fascinating, because sometimes they work even when the person suspects that they are being manipulated.
Here are examples of 7 social engineering principles I’ve seen utilized as part of online scams:
- Starting the scam in the “physical” world, because people’s defenses work differently there than online. For instance, one attack started with fake parking violation notices placed on windshields of parked cars. In another example, scammers called victims, posing as tech support specialists, to obtain access to people’s PCs.
- Crafting messages to specify victims’ locations, so that the context of the message seems personally-relevant. For instance, a website that sold a fraudulent “home income” kit customized its text to mention the visitor’s city or town. In another example, variants of the Waledac worm generated a fake new report about an explosion that occurred in the place where the victim was.
- Relying on people’s self-interest by crafting situations that exploit victims’ propensity towards vanity. For instance, “profile spy” scams convinced people to click on links by promising the ability to see who has been looking on their Facebook profiles. In another example, “rogue antivirus” scammers employed SEO techniques in the hopes of getting people to visit the website when they searched for their names.
- Posing as familiar people and brands to gain victim’s attention and trust. For instance, “stuck in London” scammers employed compromised user accounts to persuade victims’ friends to wire money. In other examples, people received malicious messages that appeared to come from trusted companies, such as UPS.
- Exploiting social norms related to link sharing, encouraging people to click on links they encounter on social networking sites. For instance, Koobface worm used victims Facebook accounts to post links to malicious websites. In another example, a malicious site enticed visitors to click by claiming that “99% of people can’t watch this video for more than 25 seconds.”
- Taking advantage of people’s need to feel secure by positioning malicious actions as security measures. For instance, numerous “rogue antivirus” scams have tricked people into installing malware while believing they were installing security tools. In another example, a website presented a fake security warning to entice the visitor into downloading “security updates.”
- Appealing to character traits such as greed or honesty to catch victims’ interest and take action. For instance, the “home income” kit promised easy money for working from home. In another example, the check overpayment scammer expected the victims’ honesty to compel them to forward along the balance of the funds they received.
Miscreants know how to exploit weaknesses in human psyche. Potential victims should understand their own vulnerabilities. This way, they might notice when they’re being social-engineered before the scam has a chance to complete itself.
