Social Engineering and Impersonation Scams

In a previous blog post about email security, I mentioned social engineering. Along with impersonation, it is a primary way that threat actors compromise our inboxes and get us to “click the link”. In either of these scenarios, a threat actor uses devious means to gain your trust and get something of value from you.  

Well, social engineering and impersonation scams are still prevalent, and understanding their most common tactics can help you stay safe.  

The Nigerian 419 Scam 

This infamous “Nigerian 419 scam” is the earliest form of impersonation I can remember. Its delivery vector was then, and still largely is, email.  

The scenario looks like this: 

1. You receive an email from a royal foreigner that claims to be wealthy.
2. They provide some fabricated situation about needing to get their wealth out of the country.
3. They offer a lucrative amount of that wealth if you do something for them. 
4. You are asked to send them money (via wire transfer or by providing bank account details) to help them with some fabricated situation. 
5. They promise to deposit into your account the payment for helping them. 

The malicious actors rely heavily on email volume for their success; they send their generic email to hundreds of thousands (if not millions) of inboxes.   

Broader Social Engineering Ploys 

Social engineering was added to the mix as malicious actors evolved the 419 scam.  

In some cases, they may have continued with the royal foreigner persona. In others, they changed the guise to a fellow countryman stranded in a distant country, needing to ship gold, diamonds, or some other tangible item of value (for some reason). They only ask for your address and full contact information. At that point, they would keep in contact and build a relationship until they felt the time was right to call in that favor.  

All of these contain elements of impersonation and social engineering. While the savvy among us will not often fall for such obvious attacks, they are still in use today.  

Combining Social Engineering and Impersonation 

There are also other attacks which combine social engineering and social media impersonation.  

Take this scenario (which happens a lot)

John Doe posts on a professional networking platform. Let’s call it SinkedIn. He writes, “I’m so excited to be joining the team at Munder Difflin!” Jane Dey then leaves a comment; “John, we are so excited to have you onboard!”.   

John Doe looks at Jane’s profile and she is listed as a member of Human Resources at Munder Difflin. When he gets his company issued laptop, there is an email from Jane saying, “I’m following up on the SinkedIn comment today. We are excited to have you with us! Here are some links to important resources you need to review as part of the new-hire onboarding process. Congrats again on joining our team!” 

John clicks on the link (which is of course, a scam link to a malicious site) and unknowingly compromises Munder Difflin. 

This is a fictious scenario, but it happens regularly. The bad actor created a fake profile to impersonate a legitimate employee of the firm. They knew (or discovered) the email address the person was likely to have, and then crafted the email to get by email security filters. At the end of the day, it worked. 

There are more examples like this, and worse. These days, entire criminal enterprises operate underground to create automated processes that turn the whole thing into a social engineering as a service — or phishing as a service (PaaS) — business model. 

Fight Back with Fortra 

Thankfully, there are tools to fight the never-ending onslaught of clever social tactics. Fortra email security and anti-phishing solutions can help you prevent and prepare against social engineering scams ... how clever they might be.