Four of the newest (and lowest) Social Engineering scams

Your computer files are being held for ransom. Pay up, or lose them. Your bank account is being emptied, so click here to stop it. Your friend has died, click on this funeral home site for more information. Social engineering thugs have reached new lows.

Social engineers, those criminals who take advantage of human behavior to gain access to data or infiltrate businesses, were once content to trick people with free offers or funny videos before unleashing their scams. Today, social engineering gangs have taken a darker turn toward strong-arm tactics, threats, emotional cruelty and dire ultimatums.

While the total number of emails used per spear-phishing campaign has decreased and the number of those targeted has also decreased, the number of spear-phishing campaigns themselves jumped 91 percent in 2013, according to Symantec Corp.'s 2014 Internet Security Threat Report, released in mid-April.

Campaigns run about three times longer than those in 2012, and indicate that user awareness and protection technologies have driven spear phishers to tighten their targeting and sharpen their social engineering. Symantec also reports that "real world" social engineers are combining virtual and real world attack to increase the odds of success.

Chief Hacker at, Chris Hadnagy, sees an increase in use of this tactic on business employees.

"Groups are sending phishing emails with malicious attachments," which a cautious employee usually ignores.

"But then they're following up with a phone call that says, 'Hi, this is Bob in accounting. I just sent you an email with a spreadsheet. I just need you to open that up real quick and check it out.' Those factors put together make you trust them and take that action." Social engineering tactics like these serve as the entryway to the latest internet scams.

1. Phishing with new lethal-strains of ransomware

Ransomware caught businesses' attention in 2013 with Cryptolocker, which infects computers running Microsoft Windows and encrypts all of its files, as well as files on a shared server. The extortionists then hold the encryption key for ransom (about $500 USD), to be paid with untraceable Bitcoin. The longer the victim waits to pay, the higher the price, or the data can be erased.

Now, copycat CryptoDefense has popped up in 2014 and targets texts, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key, which is hard to undo. It also wipes out Shadow Copies, which are used by many backup programs.

In February a Charlotte, N.C. law firm came forward and described how their whole file server was scrambled by Cryptolocker, and the firm lost all its files. The IT team tried to disinfect the machine, but the plan backfired and prevented decryption. They also tried to pay the ransom, but it was too late since they had tampered with the malware. The social engineering attack used an email "from AT&T" with a malicious attachment that was mistaken for a voice-mail message from their phone answering service.

Companies that back up files once a week are caught off guard by the scam and are often willing to pay the ransom.

"It's the choice between paying 500 bucks or losing a week's worth of work -- for maybe more than one person, says Stu Sjouwerman, cofounder of security training company KnowBe4 LLC in Clearwater, Fla.

While the scammers used a phony AT&T address in the law firm case, other telco companies saw variants of the phishing scam, too, Sjouwerman adds. Symantec estimates that ransomware like Cyberlocker earned criminals over $34,000 in one month alone in late 2013.

Small and medium-size businesses with fewer than 500 employees account for 41 percent of all spear-phishing attacks, compared to 36 percent in 2012, according to Symantec. Large enterprises with more than 2,500 employees accounted for 39 percent of all targeted attacks, compared with 50 percent in 2012 and 2011.

Small and mid-size businesses run into two challenges, says Scott Greaux, VP at in Chantilly, Va.

"One is the perception that I don't have anything people would want. [Two], they might have the traditional [security] tools in place but they might be behind the times, even if they are using web-filtering."

Before it happens to you -- "make sure you do have backups and test your restore function on a very regular basis," Sjouwerman says. Also, invest in security awareness training for all employees.

2. IVR and robocalls for credit card information

Interactive voice response systems and "robocalls" play a central role in new social engineering scams seeking credit card or password information. Bad guys steal thousands of phone numbers and use a robocaller to call unsuspecting employees.

"It's fully automated, Sjouwerman says.

"The message goes something like -- 'This is your credit card company. We are checking on a potential fraudulent charge on your card. Did you purchase a flat screen TV for $3,295? Press 1 for yes or 2 for no.'" If the person responds no -- the script then asks the victim to enter his credit card number, expiration date and security code.

In some cases, employees worry that their company credit card has been compromised and they might get into trouble, so they play along.

"Just to add insult to injury, they ask the victim to enter a cell phone number so that a customer service rep can call you back about this and they'll reverse the charge," he adds.

While the scam seems to be aimed at consumers, the concept of combining robocalls and IVR has implications for businesses, too, says Chris Silvers, owner and principal information security consultant CG Silvers Consulting in Atlanta.

"The most obvious scenario would be to spoof an internal call from the voicemail system, asking employees to confirm their voicemail password and maybe prompting for an emergency cell phone number or something similar."

Prevention: Never act on incoming robocalls, experts say, and don't trust the name on Caller ID. One telltale sign of the robocall scam -- it will refer to the message from "your credit card company" but doesn't say the actual name.

3. Healthcare records for spear-phishing attacks

With massive data breaches in 2013, the criminal element has reached a point where they can grab personally identifiable information and start merging records -- including healthcare records.

For instance, a bogus email looks like it's coming from your employer and its healthcare provider announcing that they've made some changes to your healthcare program. They're offering preferred insurance rates for customers with your number of children. Then they invite the email reader to check out a link that looks like it goes to the health insurer's web page.

"Because the email is loaded with the reader's personal information, there's a high likelihood of one click -- and that's all it takes" to infiltrate company systems, Sjouwerman says.

4. Phishing with funerals

Perhaps a new low - social engineering gangs have been caught sending people phishing emails that appear to be from a funeral home telling the reader that a close friend of yours is deceased and the burial ceremony is on this date. They have already penetrated and compromised the funeral home's website, so the moment that the concerned friend clicks on the compromised website they get redirected to a bad guy's server.

Hadnagy confirms that this social engineering scam is sad, but true.  "There are a few stories of this being used successfully. People click and get loaded with exploit kits or the scammers harvest credentials."

At the bogus site, the bad guys quickly drop a piece of malware that over time pulls down a boatload of keylogger and other information. It also drops a Trojan, and the computer has just become a zombie able to carry out nefarious acts such as attacking other computers and sending spam.

Bottom line -- think before you act on emotion, Greaux says.

"Typically the [scammers'] motivator is fear, greed or curiosity. If you send out 10 emails [or calls,] chances are 1 out of 10 of the recipients is going to be motivated by the emotion that they're trying to use."

Join the CSO newsletter!

Error: Please check your email address.

Tags scams and hoaxessymantecsecurityphishingransomwaremalwaresocial engineeringSocial-Engineer

More about InteractiveMicrosoftRSASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place