Skip main navigation

Social Engineering: Examples Continued

This video continues the focus on fear or greed as tools for hackers using social engineering.
6.8
Now, this is a different type of a social engineering attack. So this isn’t a phishing attack per se. It’s not pretending to be something else. It’s not pretending to be your boss. It’s not pretending to be Amazon, or PayPal, or Microsoft. It’s not pretending to be the FBI saying, hey, we locked your computer. We found you doing some crazy stuff. This one was a sextortion scam. So a sextortion scam is a scam where they try to extort you by something that you’ve done or supposedly done. And we saw this with things like Celebgate, where a malicious hacker stole a bunch of compromising photos from people, celebrities, and then tried to use that to blackmail them.
60.5
So what this scam was, a hacker would either go out and start sending these emails out to people saying, hey, look. I found you doing something - I got a hold of your computer. I put a virus on there. I activate your webcam or your microphone. I start taking screenshots, and I caught you doing all these crazy things online. You’re doing all these naughty things. And, hey, unless you want me to send all these videos and photos to everyone on your contact list - your friends, and your family, your co-workers - you better pay me in Bitcoin. And I’m even going to walk you through how to get Bitcoins and send it to me.
103.1
And you have - well, this particular one’s 26 hours. It’s usually 24 hours or 12 hours to comply with it. And the part that would really be scary for a lot of users is that some of these were a little bit more sophisticated, where they would say, “Hi there, so-and-so. I know your password is such and such.” And the way this worked was the malicious hacker would typically go to a data breach site or pull some sort of data breach, and then find a person’s email and password. And since people generally have bad password habits and don’t change your password often, they can go, “Hey, dispogames@gmail.com, I caught you doing all these crazy things.
150.7
And if you don’t believe me that I got on your computer, your password was such and such.” And if I was a typical user, and I didn’t change my password, and I look at that, that gives this email legitimacy. Now, I’m thinking, “Oh, my gosh. They got my email address. They got my password.” And you may or may not have been doing anything on online. But the fact that they say they have something - they’re saying they have access to your computer, and they’re going to send all this crazy stuff to my friends, my family, my co-workers, and that - that’s enough to scare a lot of people to take action.
191.9
Well, again, so this is working a couple of different angles. This is fear, because it’s scaring me that, hey, someone got on my computer. They caught me, or they said they caught me, doing all this crazy stuff. And they got my password, and they got my contact list. And they’re going to send this out to all these people. And then we have scarcity, scarcity being time. In this particular case, I only have 26 hours to send this money off to this hacker. So, again, it’s a really horrific attack, because it’s pretty painful when someone targets you in this type of way saying, I got on your computer. I got your password. I’ve been sitting on a computer.
235.7
I’ve been grabbing all this information. It’s a violation of your privacy, and it scares a lot of people. But, again, this is social engineering. It’s essentially amygdala hijacking where, OK, oh, my, they grabbed this information. They got my password. But, again, if you take a moment to think about it - well, let’s see. This particular email doesn’t have a password to prove that they got on your system, if you sit and think about it, whether you did anything crazy on your computer, whether there’s actually any legitimate information there. And what a lot of people would do is they would just wait the 26 hours and see if anything happened. And in most cases, nothing ever happened. It’s a bluff.
287.2
So this other one I want to show you is, money for you. So $2 million was made to you, contact us for detail. At the Luminate Education, we work flexibility. While it suits me to email you now, do not expect a response reaction outside your own working hours. And what I was supposed to do is call them, or email them, or visit their website, and find out, hey, where’s my $2 million? So this, obviously, is greed, greed that, hey, somehow I got $2 million. This is awesome. I’m rich. Well, of course, it’s not a legitimate email. I don’t know anyone that’s going to give me $2 million.
339.6
It’d be great, but I really don’t think anyone’s going to give me $2 million out of the blue. So if we look at this email, this looks very suspicious. Because, first of all, it’s too Jeannie Appleyard - not to me. This email itself and this information doesn’t really go into why I’m getting $2 million. It’s not addressing me directly. So, again, this is appealing to your sense of greed.

This video continues the focus on fear or greed as tools for hackers using social engineering.

Hackers may try to use extortion to get you to respond to their messages. As with the FBI example seen in the previous video, the idea is that you will be scared, and this fear will make you respond quickly – and recklessly.

Alternatively, some hackers take a different approach and will try to initiate contact through scams stating that you have won money.

When you receive an unexpected message and you find yourself having an emotional response, it is important to pause and take a few moments before you act. We will go into more detail on what you should do in the next step.

Reflect and share: In the next step you will learn what to do to mitigate these types of attacks, but take a moment now to reflect on how you have responded to social engineering attacks using fear or greed in the past. Share your comments in the section below.

This article is from the free online

Advanced Cyber Security Training: Network Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education