Out of the blue you receive an email informing you about a large sum of money that is trapped in a foreign bank account a wealthy politician has died leaving a large sum of money. The sender is asking your help to transfer the money out of the country. You will receive a huge reward as well. The sender asks you to give them your bank account details to transfer the money then asks you to pay transfer fee/tax to transfer money out of the country. This fee may start with a small amount but will increase. The criminal will make up new fees that is necessary to be paid to receive your reward. It does not matter how much you pay, you will never receive your reward. This is a “scam” a type of social engineering and this particular scam is commonly known as “419 scam” an advanced fee fraud.
Criminals can use sophisticated attacks to gain access to your computer or trick you and obtain money. But they have another easier and non sophisticated tool in their arsenal called “social engineering”. Social engineering uses human interaction(social skills) and obtains confidential information. The obtained information is then used in accessing the user accounts or according to the above example the user is tricked in obtaining money.
Social engineering attacks may be divided into two categories.
Emails sent by scammers may have attachments that include malicious code inside the attachment. Those attachments may include Keyloggers to capture users passwords,Viruses, Trojans, or worms.
Attackers will trick users to click on a link or download a file then click on it, the executable file is a worm and will propagate from computer to computer copying itself.
A well known example is the “LoveLetter” worm that comes as an attachment in an email. The email requests the user to open an attachment in an email. When the users opens the attachment the worm copies itself to all the contacts in the users address book. This worm overloaded a huge number of email servers in the year 2000.
Sometimes pop-up windows can also be used in social engineering attacks. pop-up windows that advertise special offers may tempt users to unintentionally install malicious software.
This type of social engineering attack commonly uses emails to trick users in getting credentials to their bank accounts or maybe email accounts. The email mostly claims to be from a well known source, a highly reputed organization, and asks the user to click on a link that takes the users to a site similar to the organizations web site but this site is a fraudulent website that harvests users credentials. The fraudsters use these credentials to gain access to bank or email accounts and steal important information and money.