11-24-06
Social Engineering
That’s an interesting bit of jargon, “social engineering.” The vaguely ominous words have overtones of the Nazis’ experiments in eugenics, or some 1950s southern bigot railing against racial mixing.
Actually, it’s a euphemism, substituting a quasi-scientific term for a simple one: “con.” As in “con artist.” Self-described social engineers generally operate on the Internet or around it, unlike the characters in a David Mamet play. But they manipulate the same human emotions: trust, greed, helpfulness and fear.
The simplest computer cons are pretty much played out. Most people by now know to disregard an e-mail seemingly from the Deputy Governor of the Central Bank of Nigeria (etc.), or one threatening to close your bank or Paypal account RIGHT NOW! unless you provide information.
Subtler versions of each, however, have crossed my desk recently and are worth describing.
Chinese Nigerian
The classic Nigerian e-mail scam works the greed angle too hard. Promises of $2.8 – $8.8 million are clearly too good to be true. And it’s generic: “Dear friend.”
A Chinese-born client of mine received a much subtler version. A Chinese company was supposedly looking for a bilingual person to help them with receiving payments in the United States. The e-mail explained that for various vague and complicated legal reasons, the company was blocked from establishing its own branches. It said that the board of directors had approved him already as their U.S. representative. Payments would be made to him, and he would forward them after deducting a 10-15 percent commission. He would make, perhaps, $25,000 to $30,000 a year.
Greed and trust were now in play. Not too much money made it seem credible, and they addressed him by name. My client is a helpful sort, and has time, and could use some extra money. So he went the next step.
After using Google to verify there is a real Chinese manufacturing company by that name, he responded, asking for some verification of the sender’s legitimacy. Not surprisingly, he received no response to that.
But he did receive an urgent e-mail from someone claiming to be a customer of the Chinese company. The customer was eager to pay, according to the e-mail, and the Chinese company had told the customer to contact my client. As soon as my client sent the specific information, money would be sent to him.
The scam, of course, is that the payments he would receive would be bogus: forged checks, fraudulent wire transfers. By the time they bounced, his payment would be irrecoverably gone to a third world country (almost certainly not China) and he’d be out the money. Again, it is a little subtler than the classic Nigerian fraud, in which the victim is lured into fronting money for “expenses” incurred to get the supposed riches out. But the net result would be the same.
My client stopped responding a month ago, and is still getting urgent e-mails from supposed customers wanting to send him money. I expect he’ll be getting those for years.
Computer, Not Bank
In the classic version of the bank scam, a con artist rips off the logo of a legitimate bank from their Web site (which is frighteningly easy to do). That logo then surfaces in an official-looking communication stating that there has been apparent fraudulent activity in the victim’s account, and that he must immediately provide certain information by clicking on a link embedded in the e-mail. That link, apparently to the bank’s Web site, actually goes to a fake one. The victim is actually feeding his personal and account information to a con artist.
The early versions of these e-mails were laughably crude, replete with spelling errors and bad grammar. Newer ones seem to have found the spell checker and use native speakers of English, but are still rather obviously bogus. Like the Nigerian scam letters, the address is generic: “Dear customer.” And how many times do you need to get one purportedly from a bank you don’t use before you know they are all baloney?
These scams work on pure fear. But like the Nigerian scam, the classic version overplays its hand.
In the newer, subtler version, my client received an e-mail supposedly from Dell Computers, confirming an on-line order placed and paid by credit card. There is no logo, just plain text referring to the order details and invoice in the file attached. Fear is still present (“Did somebody rip off my credit card number?”) but helpfulness has been added (“If they just sent the e-mail to the wrong address…”)
The attached file, however, is a program file (i.e., with an “exe” extension). If clicked, it will install some sort of spyware or other malware. Exactly what, I don’t know because we didn’t click on it.
This one contained a fairly obvious error, as the purported purchase was a Sony VAIO computer. Dell sells only Dell-branded products. Not all will be so dumb.
The “from” line in an e-mail is easily faked. To know where an e-mail really came from, you need to look at the full message header. This information is contained in the message, but does not normally display. In Microsoft Outlook or Outlook Express, highlight the questionable message without opening it and right-click; select “Properties,” then the “Details” tab. (Similar capabilities can be found in any other e-mail client software, or in web-based e-mail like Yahoo or Google.)
The first line is “return-path,” which is all you normally need to look at. That e-mail address is where an undeliverable message would be returned, and it is almost impossible to fake. You don’t have to know who “redakja.trybuna.com.pl” is to know that e-mail didn’t actually come from eBay.
The Real Protection
Ultimately, the key to protecting yourself is to remain detached and unemotional. Don’t let a con artist play on your trust, greed, helpfulness or fear. And even if there is a legitimate problem with your credit card or identity theft, it will still be there after you have taken a few minutes to analyze and check out the situation.
Are there money or tax questions you would like to see discussed in this column? Let me know, at 2835 N. Sheffield, Suite 311, Chicago, IL 60657, or call 773/525-1778 (888/525-1778 toll-free outside the Chicago area) or e-mail greg@gregmermel.com.
Greg Mermel is a certified public accountant whose clients in the arts range from individual performers to major theatre companies and suppliers. He has also been known to produce theatre.