How Social Engineering Attacks Use Third Parties for Credibility – Forbes Advisor

Editorial Note: We earn a commission on partner links on Forbes Advisor. Commissions do not affect the opinions or ratings of our editors.

You have to hand it over to the crooks for their creativity and determination. The criminals are doing their research to make their tricks more elaborate, so they can separate more and more of us from our hard-earned money. Their latest scams use manipulative social engineering attacks that leave victims feeling doubly cheated.

What is Social Engineering?

Social engineering refers to the basket of psychological tricks that scammers use to build trust with potential victims of fraud. Scammers can perform all sorts of deceptions using information gleaned about their targets from social media sites and publicly available data.

Attacks can take many forms and often begin with a phishing email designed to trick the recipient into divulging personal information. The FBI’s Internet Crime Complaint Center, or IC3, reports that phishing affected nearly 324,000 victims in 2021.

Other types of social engineering campaigns involve voicemail phishing (vishing), text phishing (smishing), and business email compromise (BEC), which uses fraudulent messages that appear to come from legitimate businesses. In my role as Senior Threat Researcher for Threat Research at Agari by HelpSystems, I have seen all kinds of scams online.

Cons work because we are human. Most of us are wired to trust others. Fraudsters know this and play on our heartstrings or delight us with fabulous offers that make us feel special.

The third is a charm

Social engineering is at the root of the latest advance fee scams, which are increasing in frequency and complexity. The general scheme is to trick you into putting up money to receive something of greater value. Fraudsters take advantage of urgency and authority to get you to send money.

These downsides have two phases involving entities that seem unrelated. It’s genius. The idea is that even if you were a bit suspicious of the initial message or request, the apparent transfer to a third party – another person or group – builds your trust. But behind the curtain, everything is orchestrated by a single person or team.

Two-part scams involving third parties (fakes)

Beware of these five schemes in which scammers lay traps by creating fake third parties.

1. The Free Piano Scam

How it works: You receive an email from a widow who wants to find a new home for her late husband’s beloved piano. She needs to move to a smaller place, and you would be doing her a favor if you accepted the instrument.

From the pictures, it is a beautiful brand piano. It’s yours for free if you cover the shipping cost. It sends a link to a suggested global logistics provider where you can submit your payment. You even get a tracking number indicating the shipment is on its way.

In the wings: There is no piano, widow or shipping company. It is a scammer who tricks you with multiple email accounts and a fake shipping company site.

2. The scam with attractive prices

How it works: You are a distributor and receive an email at work from someone who wants a quote on an industrial product. You search online for the oddly long product ID number that was provided and find it on a single manufacturer’s website.

After inquiring about the cost, you are shocked to find that it is less than half of what you expected to pay. In the great tradition of buy low, sell high, you order 20 of the items and meet the initial demand with a suitably padded price. But you never hear from the potential buyer again.

In the wings: The buyer and the seller are one. The scammer found you while searching for distributors on LinkedIn and relied on the fact that you, like most people, would never expect a collusion between an online buyer and seller.

3. The M&A Scam

How it works: Kevin, your company’s head of mergers and acquisitions, tells you about an impending and highly confidential deal. As an accountant, you worked with Kevin on several occasions and did nothing about his request to switch to your personal email account to protect transaction details.

He says you will soon receive a note from the lawyer with instructions on how to quickly transfer the business earnest money, i.e. the deposit for the transaction. You transfer the funds to the specified account.

In the wings: The scammer did some research to find that Kevin is your company’s M&A manager, then created a fake email that looked legitimate. The “lawyer” is the same scammer with a different email address, and the money will probably never be found.

4. The gift card scam

How it works: Gift card scams remain popular among scammers. In the latest iteration, your boss is on the road and asks you to send his niece a Google Play gift card for her birthday. The niece has been struggling lately and has dropped out of school to care for her sick father. You feel bad and want to help.

In the wings: The scammer is the puppeteer who uses fake email accounts and a sad story to override common sense.

5. The escrow account scam

How it works: You are looking for an offer on a motorhome. You find one on Craigslist or eBay that fits the bill, and the seller says he’s in the military and about to be deployed to Poland to support Ukraine’s war efforts. He has to get rid of the RV soon, but it’s in Montana. He asks you to use the Craigslist or eBay escrow service and will ship the vehicle once the money is cleared.

In the wings: These sites do not have escrow services, and any money sent over the link provided to you will go into the hands of the scammer.

How to protect yourself from social engineering?

As always, tap into your intuition and stay alert. Remember that if something seems too good to be true, you probably have the right idea.

Follow these steps to avoid being tricked.

  • Discover the email addresses: Right-clicking on a sender’s name will let you view the properties of the message and reveal revealing details that could save you a lot of trouble.
  • Check through a separate channel: If you receive a link to a website to order or ship something, see if you can find the business on Google Maps or through search. It may not exist.
  • Avoid cryptocurrency: Getting a payout request for just about anything in cryptocurrency usually indicates fraud.
  • Report the scam: If you believe you have been the victim of a social engineering attack, report the fraud to the Federal Trade Commission.

Find the best identity theft protection services of 2022

About Janet Young

Check Also

BIO-TECHNE DECLARES A DIVIDEND IN CASH AND A DIVIDEND IN SHARES

MINNEAPOLIS, November 1, 2022 /PRNewswire/ — Bio-Techne Corporation (NASDAQ: TECH) announced that its Board of …