Fear, Urgency and Trust: The Cybercrime Emotional Playbook

Sometime last year, on the 13^th of November, I received a call from an unfamiliar number. The caller introduced himself as a pastor and claimed to be a member of a Christian group on WhatsApp to which I belonged. His tone was warm and friendly, and he opened with the usual pastoral salutations, immediately putting me at ease. He even mentioned that a meeting was scheduled for later that night, something I didn’t find out of place.

I thanked him for his call, assuming it was a simple check-in, and mentioned that I’d try to tune in if time permitted. He noted my interest, perhaps viewing it as a vulnerability, and decided to push further.

He informed me that the group was “marking an attendance” and that an attendance number would be sent to me shortly. He asked me to read it back to him when I received it. At first, I was surprised. Why would a WhatsApp group need to mark attendance this way? It didn’t align with how this particular community usually operated. If he wanted to confirm my availability, wasn’t that why he called? Read more of the story at: https://hackwhip.hashnode.dev/how-i-escaped-a-whatsapp-scam-a-close-call-with-phishinghttps://hackwhip.hashnode.dev/how-i-escaped-a-whatsapp-scam-a-close-call-with-phishing

What is Social Engineering?

Social engineering is a psychological manipulation technique used by cybercriminals and malicious actors to deceive individuals, organizations, or employees into divulging confidential information, performing certain actions, or providing access to computer systems, hence it is described as self-sabotaging. Unlike traditional hacking methods that exploit technical vulnerabilities, social engineering attacks exploit human psychology and behaviour to achieve their goals.

The primary objective of social engineering is to gain unauthorized access to sensitive information or systems, often for malicious purposes such as data theft, fraud, or unauthorized access to networks. These attacks can take various forms and can occur both online and offline.

Key Characteristics of Social Engineering

1. Deception: Social engineers use lies, manipulation, and impersonation to deceive their targets. They often create a false sense of trust or urgency to achieve their objectives.

2. Exploitation of Trust: These attacks rely on the trust people have in individuals or entities, such as co-workers, IT support, or even official-sounding organizations.

3. Human-Centric: Social engineering targets human psychology and behaviour rather than technical vulnerabilities. Attackers exploit natural human tendencies like curiosity, helpfulness, and fear.

Common Social Engineering Techniques

There are several common social engineering techniques that attackers employ:

1. Phishing: Phishing is one of the most prevalent social engineering techniques. It involves sending fraudulent emails or messages that appear to come from a legitimate source to trick recipients into revealing sensitive information.

   Example:

   An attacker sends an email that appears to be from a trusted bank, informing the recipient that their account has been compromised and requesting them to click on a link to reset their password. The link takes them to a fake website designed to steal their login credentials.

2. Spear-Phishing: Spear-phishing is a more targeted form of phishing where attackers personalize their messages to specific individuals or organizations, often using personal information to increase credibility.

   Example:

   An attacker researches a company's employees on social media and sends an email to an employee, posing as the CEO and referencing recent company events. The email requests sensitive financial information, and because it seems to come from the CEO, the employee complies.

3. Vishing (Voice Phishing): Vishing involves attackers using phone calls or voice messages to impersonate trusted individuals or organizations, seeking information or access.

   Example:

   An attacker calls a target while pretending to be from a legitimate tech support company. They inform the target that their computer has a critical issue and convince them to provide remote access to "fix" the problem, allowing the attacker to compromise the system.

4. Pretexting: Pretexting involves creating a fabricated scenario or pretext to extract information from a target. This might involve impersonating a co-worker, vendor, or authority figure.

   Example:

   An attacker impersonates an IT technician and contacts an employee, claiming that there's a security issue with their account. To resolve it, they request the employee's login credentials and other sensitive information.

5. Baiting: Baiting involves offering something enticing, like a free download or physical media (e.g., a USB drive), that contains malware. When the victim interacts with the bait, their system becomes compromised.

   Example: An attacker leaves infected USB drives in a company's parking lot with labels suggesting they contain important files. An employee finds one and, out of curiosity, plugs it into their work computer, unknowingly introducing malware.

6. Tailgating: Tailgating is a physical social engineering technique where an attacker follows an authorized person into a secure area by exploiting politeness or trust.

   Example:

   An attacker dressed as a delivery person waits outside a secured office building and then follows an employee who holds the door open for them, gaining unauthorized access to the premises.

Phishing Attacks

Phishing attacks are a prevalent form of social engineering where attackers use deceptive emails, messages, or websites to trick recipients into revealing sensitive information, such as login credentials, financial data, or personal details.

Common Phishing Characteristics

1. Deceptive Emails: Phishing emails often appear to come from trusted sources, such as banks, government agencies, or well-known companies. Attackers use logos, formatting, and language to mimic official communications.

2. Urgency or Fear: Attackers create a sense of urgency or fear to pressure recipients into taking immediate action. They may claim an account is compromised, a payment is overdue, or a legal issue is pending.

3. Suspicious Links: Phishing emails contain links that, when clicked, lead to fake websites that mimic legitimate ones. These sites are designed to capture sensitive information when entered.

4. Attachment-Based Phishing: Some phishing emails contain malicious attachments, such as infected documents or executables. Opening these attachments can compromise the recipient's device.

Examples of Phishing Attacks

1. Bank Account Phishing: An attacker sends an email that appears to be from a bank, claiming there is unusual activity on the recipient's account. The email instructs the recipient to click a link to log in and verify their information. However, the link leads to a fake banking website designed to steal login credentials.

2. Tax Refund Scam: During tax season, an attacker sends an email posing as a tax agency. They inform the recipient that they are eligible for a significant tax refund but need to provide personal and financial information to claim it. The recipient complies, unwittingly handing over sensitive data.

3. Credential Harvesting: An attacker sends an email disguised as a popular social media platform, claiming that the recipient's account has been suspended due to suspicious activity. The email asks the recipient to verify their identity by clicking on a link and entering their username and password, which /the attacker then captures.

4. COVID-19 Phishing: During the COVID-19 pandemic, attackers exploited fear and uncertainty by sending emails impersonating health organizations or government agencies. These emails contained links to fake COVID-19 information sites, which delivered malware or harvested personal information.

5. Executive Impersonation: An attacker researches a company and identifies a high-ranking executive. They send an email appearing to be from that executive to a lower-level employee, requesting a large financial transfer to a specific account. The employee, thinking it's a legitimate request, initiates the transfer.

Phishing Prevention

Preventing phishing attacks involves a combination of user awareness and technological measures:

1. Education: Train users to recognize phishing red flags, including suspicious email addresses, unexpected requests for sensitive information, and urgency in messages.

2. Email Filtering: Implement email filtering solutions that can identify and quarantine suspicious emails before they reach users' inboxes.

3. Multi-Factor Authentication (MFA): Encourage or require the use of MFA to add an additional layer of security even if login credentials are compromised.

4. URL Inspection: Use browser extensions or security software that can verify the legitimacy of website URLs by checking them against known phishing databases.

5. Regular Updates: Keep operating systems, browsers, and security software up to date to mitigate vulnerabilities that attackers might exploit.

Identifying phishing attempts

Recognizing phishing attempts is crucial for individuals and organizations to protect themselves from falling victim to these deceptive attacks. Here are some key factors to consider when identifying phishing attempts:

1. Check the Sender's Email Address:

   - What to Look For: Examine the sender's email address carefully. Phishing emails often use slightly altered or fake addresses that may resemble legitimate ones but contain subtle differences.

   Example:

   A phishing email may come from "support@yourbankk.com" instead of the legitimate "support@yourbank.com."

2. Verify the Greeting:

   - What to Look For: Legitimate organizations often use personalized greetings with your name. Be cautious if the email begins with a generic greeting like "Dear Customer" or "Hello User."

   Example:

   A phishing email might start with "Dear Customer" instead of addressing you by name.

3. Be Wary of Urgent or Threatening Language:

   - What to Look For: Phishing emails frequently create a sense of urgency or fear to pressure recipients into taking immediate action. Be sceptical of messages that claim your account is suspended, a payment is overdue, or legal action will be taken if you don't act quickly.

   - Example: An email stating, "Your account will be permanently locked in 24 hours if you don't verify your information now" is likely a phishing attempt.

4. Scrutinize Embedded Links:

   - What to Look For: Hover your mouse pointer over links (but do not click them) to preview the URL. Check if the URL matches the legitimate website's domain. Be cautious if the link redirects to a suspicious or misspelled domain.

   Example:

   A link that appears to lead to "www.yourbank.com" but actually goes to "www.yourbank-phishingsite.com" is a red flag.

5. Examine Email Content for Spelling and Grammar Errors:

   - What to Look For: Phishing emails often contain spelling mistakes, grammatical errors, or awkwardly phrased sentences. Legitimate organizations typically maintain a higher standard of communication.

   Example:

   An email with phrases like "your acount has been comprimised" is likely a phishing attempt.

6. Beware of Unsolicited Attachments:

   - What to Look For: Be cautious about opening email attachments, especially if the email is unexpected or from an unknown sender. Phishing emails may contain malicious attachments designed to infect your device.

   Example:

   An email with an attachment named "Invoice.exe" should raise suspicion.

7. Verify Requests for Sensitive Information:

   - What to Look For: Legitimate organizations rarely request sensitive information (such as passwords, Social Security numbers, or credit card details) via email. Treat such requests with extreme caution.

   Example:

   An email asking you to reply with your username and password is almost certainly a phishing attempt.

8. Trust Your Instincts:

   - What to Look For: If something about an email feels off, trust your instincts. If you have doubts about its legitimacy, independently verify the request or contact the organization directly using trusted contact information (not provided in the suspicious email).

9. Check for Secure Connections:

   - What to Look For: Legitimate websites and emails often use secure connections. Look for "https://" in website URLs and check if the email uses encryption (e.g., a padlock icon) when requesting sensitive information.

Therefore, educating yourself and your team about these phishing detection techniques is essential for maintaining a strong defence against these deceptive attacks. Encourage a culture of vigilance and scepticism within your organization to help reduce the risk of falling victim to phishing attempts.

With each phishing attempt made, the cybercriminal is hoping that even if it’s few people, will fall victim either out of curiosity, ignorance, fear or any of these combinations.