The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

Crime Victims

By nature, people are trusting and want to believe in each other. This simple fact makes it easy for criminals to find victims. Exploiting human trust allows criminal enterprise to use social engineering tactics to steal from their victims.

Auction Fraud

eBay auction fraud appears to be commonplace. Common tactics include the seller canceling the auction but sending any bidders an email offering the item for “Second Chance” sale. They will then spoof an email appearing to be from eBay offering protections on the sale. Or as the example below shows, inject fake pages into legitimate websites. This gives the appearance the transaction is taking place with eBay’s blessing. The victim will send payment and never receive the item.

Real World Example

In December 2016 the Romanian Bayrob Gang were indicted on 21 counts of cyber fraud conspiracy. According the the United States Department of Justice, the defendants injected fake pages into legitimate websites, such as eBay, to make victims believe they were receiving and following instructions from legitimate websites, when they were actually following the instructions of the defendants. They placed more than 1,000 fraudulent listings for automobiles, motorcycles and other high-priced goods on eBay and similar auction sites. Photos of the items were infected with malware, which redirected computers that clicked on the image to fictitious webpages designed by the defendants to resemble legitimate eBay pages. These fictitious webpages prompted users to pay for their goods through a nonexistent “eBay Escrow Agent” who was simply a person hired by the defendants. Users paid for the goods to the fraudulent escrow agents, who in turn wired the money to others in Eastern Europe, who in turn gave it to the defendants. The payors/victims never received the items and never got their money back. This resulted in a loss of at least $4 million.

bayrob-photo-viewerImage slideshow app infected with Bayrob [via Symantec]

Check Scams

The premise of check scams is the same but represented in different ways. A cashier’s check is sent to the victim who deposits it into their bank account and then sends a portion of those funds on to another person while keeping a portion for themselves. The cashier’s check is fraudulent and the victim has to cover the funds they thought they deposited.

One victim in this type of scam was recruited after he posted his resume on a well known job placement website. He received a job offer to become a “money handler”. His job was to receive mailed checks, deposit them into his account, keep 10% and send the rest to another person. When asked why the first person couldn’t send the check directly to the third person, the victim replied that the business was legitimate since it came from a reputable website. The victim refused to believe he was scammed and that it was just the first check that was bad.

Real World Example

Quincy Man Arrested For Using Counterfeit Cashier’s Checks to Defraud Victims, Including Law Firms

Fake Lottery

Everyone is looking for easy money. Lottery scams are prevalent and still able to find victims. This scam is accomplished by sending emails or letters notifying potential victims that they have won the lottery in a foreign country. All that is required is a processing fee in order to obtain the huge sum of money that they have won. Victims will often send money to cover the processing fee even though they had never even heard of the lottery before the letter.

Real World Examples

Jamaican-based Lottery Fraud Scheme
Lottery Scheme that Targeted Elderly Victims

Common Traits

These example scams all have an element of social engineering to them. They make the victims believe something when the reality is completely different. They are all preying on a specific victim motivation. These cases are all about money, so the victim wants to get a good deal or earn the easy money.

Many of the victims want to believe that they are smart, careful, and able to identify when they are being lied to. They don’t want to admit to themselves that they were “stupid” and many victims don’t report the crime to law enforcement because they are embarrassed. The elderly and people who might speak another language are often targeted because it could be easier for the suspect to trick them and confuse them with false promises.

Education and Reporting

There are many things you can do avoid becoming a victim. First, remember the old advice, “If it seems too good to be true, it probably is”. Second, ask as many questions as you can. Don’t take whatever you hear as the truth. Find a second source to confirm if possible.

When you receive a phone call, don’t automatically assume the person is telling you the truth. Banks, the government, and many other corporations will never call you and ask you to verify account details. If you receive a call like this, hang up and call the institution back. Remember that caller ID spoofing is very easy and you cannot trust your Caller ID.

Additional Resources

Visit the following links to learn more

Federal Trade Commission Complaint Assistant
BBB’s Top 10 Scams of 2016