The Blog

There's Nothing "Social" About Online Social Engineering Attacks

Social engineering attacks are designed to deceive so they can harvest information that can be resold on the black market.
This post was published on the now-closed HuffPost Contributor platform. Contributors control their own work and posted freely to our site. If you need to flag this entry as abusive, send us an email.

If you didn't know better you might think the term "social engineering" was a benign reference to some "friendly engineers" - but you'd be wrong. Security experts have long worried about these type of online attacks because they use common and "cheap" marketing tactics to deceive making it harder to detect versus, for example, technology-based, more "expensive" scams which often leave a tell tale technology "fingerprint" that can expose the fraud.

As a result, we see that we see that social engineering attacks run rampant (*sigh*) like those emails from "your bank" asking you to confirm your user information due to some "security breach". Or the email congratulating you on being the "lucky multi million dollar winner" in a lottery. Or (and these type always crack me up) you are "most kindly" asked to "act as agent" for someone who seems to have benefited from some amazing financial windfall.

All these emails are different forms of social engineering attacks - designed to deceive so they can harvest information that they resell on the black market. Using social engineering techniques, the thieves are increasingly getting more sophisticated and are becoming more effective at convincing enough folks to give up their information to be profitable (*sigh* #2).

But the stakes just keep getting higher. Now the fraudsters have set their sites on our high school/ college kids who are looking for jobs (*sigh* #3). This makes a bad situation worse since many kids are very naïve about these types of threats. That's why it is incumbent on us to launch an offensive counter attack by exposing these fraudsters as quickly and as broadly as possible. (Please please - if any of you have kids looking for work - please ask them to read this! Send it to your local high school or college. Spread the word. )

How the scam targeting kids works?
The scam's approach is to run an ad on craigslist looking to hire people "for flexible work." (Author's note: I do not in any way blame craigslist anymore than I would blame Gmail for delivering the scam emails. I mention craigslist overtly only because kids use craigslist regularly.) Here's the actual ad that ran - it was brilliantly written by a direct marketing expert (*sigh #4*):

Our Company Name is {reputable WATCH company}, We are located in SWITZERLAND. The Swiss brand name symbolizes an excellent choice in marketable wrist watches. We are proud of our small but traditional watch factory and our stylish watch collection. The primary goal of the Administrative Officer is to provide local customer assistant to our clients within North America.

During the trial period, you will be paid 2,000USD per month while working on average 3-4hours per day, plus 10% commission from every payment received and forwarded. After the trial period your base pay salary will go up to 2,200USD per month, plus 10% commission.

So far it sounds amazing and legit - right? A dream job for any college kid especially since a reputable company was used in the ad. At this point it is impossible to detect the scam. But the email continues and once you read it carefully, one begins to see some cracks in this fantasy job scenario...

Your First Primary task (Collection of Payments)
Author's note - This is the big "yikes" part
1. Receive payment from our Customers or Clients.
2. Cash Payment at your Bank or any cashing facilities near you.
3. Deduct 10 % which will be your percentage/pay on Payment processed
4. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to, you'll have a lot of free time doing another job, because this job schedule is flexible, you'll get good income .But this job is very challenging and you should understand it.

Please kindly fill your personal details below, so that you can get started.
Full Name:
Apt #:
Postal Code:
Resident Phone Number:

"Stanley Walker"

(a.k.a. Freddy Fraudster)

There are so many red flags but our kids might not spot them so easily. Aside from the danger of sending confidential information to Freddy Fraudster, the scam has kids deposit checks into their account - and forward proceeds (less 10%) to the "company" (*sigh* #5). It's likely the checks will seem to clear but then bounce after the kids had dutifully forwarded payment. I shudder to think how well this particular scam worked given the target was a segment already stressed to find work.

Our best defense is a good offense and that means:
  • Exposing this scam as widely as possible. Educate our kids to be suspicious of ANYONE trying to get their personal information - even something that seems innocent like an address and phone number. "When in doubt - leave it out" should the mantra of everyone in the house.
  • To safely apply for jobs, have kids set up a new, free email account so they can keep their important email information separate from their job hunting activities.
  • Ideally, it is best not to include specific home address or even a mobile phone number on a CV or resume. Once some trust has been established, then more specific information can be released.
  • Sadly, we must really train our kids to really accept that if something sounds too good to be true on Internet -- it is nearly guaranteed to be fraud. Period.
  • But here's what will do the most good. Share this information/ link on your Facebook page. Twitter it out. Send an email to your school's administrators telling them about this particular threat.

Let's keep a digital eye out for each other and spread the word until the technology "good guys" can put these guys out of business. Watching out for each other is one way to use social media to beat back the bad guys.