Sometimes called “human hacking,” social engineering is a form of manipulation to get someone to act in a certain way. Many types of people use social engineering, be it a salesperson trying to get you to purchase extra add-ons you don’t really need or a threat actor trying to get your bank account information in a phishing email.
Criminals use social engineering because it works. It’s human nature to act whether it’s out of a tendency to trust, fear of something bad happening, curiosity, or simply wanting to help another person. For social engineers, it’s far easier to get someone to share their username and password by taking advantage of these traits than it is to break into a system by force.
Social engineering attacks can be broken down into four steps:
A successful social engineering attack requires a lot of preparation, so social engineers start by gathering information on their target. They often use social media like Facebook, Instagram, and LinkedIn, as well as general searches on engines like Google or Bing. Dedicated attackers may also go dumpster diving, looking for work documents, bank statements, medical prescriptions, or anything else that could provide more information on your work, interests, and lifestyle — all to help them better target you. When their larger goal is to breach a company’s security, they’ll also do extensive research on the organization.
Pretexting is the practice of presenting oneself as someone else to obtain private information. Here, social engineers use the information they’ve gathered to gain their target’s trust — they may feign shared interests to create rapport and use collected knowledge of the targeted company to impersonate someone trustworthy, such as a help desk or HR employee.
Once social engineers establish some sort of relationship, they elicit information from the target. This can take many forms, such as direct or indirect questions or a link in a phishing email.
Finally, social engineers move to manipulation or, rather, influencing their target to take actions that may not be in their best interest. Some common manipulation techniques include:
- Fear-relief: They say something to scare the target then immediately follow up with an offer for relief. (e.g., “Your computer has been infected with malware, but if you give me your password, I can remote in and remove it.”)
- Guilt: They may do the target a favor to gain leverage over that person.
- Foot in the door: They ask the target for something small to get their foot in the door, and if the target responds, they’ll follow up with a larger request. (You’ll also see this manipulation technique commonly used by salespeople.)
of a scam
Scams commonly use email, the internet, or the telephone to trick people into sharing sensitive information or doing something against policy. Criminals often use recent events, such as the COVID-19 pandemic or an earthquake, to prey on people, hoping to catch them off guard.
Key indicators of a scam:
- Requests for personal or private information, such as your password, financial account information, Social Security number, or money
- Unexpected/unsolicited emails with links or attachments
- Sense of urgency and call to action (e.g., “contact us immediately,” “log in now”)
- Scare tactics or threats stressing that, if you don't act quickly, something bad will happen (e.g., “your computer may be infected”)
- Promises of something too good to be true, including bargains and “great offers” or links to claim an award or reward
- Requests that you forward emails, attachments, links, etc., to your friends, co-workers, or family
A middle-aged white man (who we will call the "fisher" from now on) wearing a green fishing vest with many pockets walks through a grove of trees, holding a fishing pole and tackle box. He has short, light brown hair and scruffy facial hair, and wears a red, white, and blue flannel shirt and jeans. He sets the pole and tackle box on the ground and stretches his arms above his head. White text flies up, reading "phish•ing." More white text follows, reading:
"Tricking a user into sharing personal information or login credentials by posing as an official source."
0:09: The video transitions to the fisher sitting at a desk with two computer monitors. The monitor on the left shows a document containing a pie chart; the monitor on the right shows a yacht on water. The man rubs his hands together and cracks his knuckles, then begins to type on his keyboard. Near his keyboard, under the monitors, he has Funko Pop statues and comic book figurines.
0:13: The video transitions back to the fisher in the grove of trees. The video zooms in on the fisher's hands; he holds a small, metal box containing fishing lures. He selects a lure and attaches it to his fishing line. He then walks toward a red block U statue on the University of Utah campus.
0:23: The video moves to a shared work table, where a man and woman huddle over their Apple laptops. The white man has dark, short hair and wears a light-colored button-up shirt and khaki pants; the white woman has long, dark, wavy hair and wears a black dress. She holds a dark folder open in her lap. A woman sits adjacent to them, wearing headphones and using her Apple laptop. She has dark hair pulled into a bun and wears dark glasses and a light-colored hoodie.
0:25: The video transitions back to the fisher, who stands in front of the "Imagine U" side of Marriott Library, casting his fishing line toward the building. He walks through campus again, passing a set of stairs and multiple street lamps. He then casts his line toward a white female student passing by on the sidewalk, which is lined with trees full of leaves. The red block U is behind him on the left. The student — who is wearing a multicolored, short-sleeved shirt with chevron patterns, black pants, and a backpack — shies away.
0:35: The fisher continues casting his line in various places around campus. In one scene, he even pops out beyond a bush to startle a man passing by. The white man is wearing a blue button-down shirt with the sleeves rolled up and jeans. In another scene, the fisher casts his line toward a white male man who is walking his bike on the sidewalk. The cyclist has long light brown or blond hair, and wears red flannel, dark jeans, a red and white hat, and a backpack and carries a light-colored helmet. He ducks from the fishing line.
0:41: In the next scene, the fisher climbs a rock and looks out over the landscape. He then appears to reel in his fishing line, which is taut. Text fades in from the left, reading "You will never receive a threatening or intimidating email from any legitimate University source."
0:48: The video transitions to a man, whose face we cannot see, typing on a black laptop with a U drum and feather sticker and a white sticker in the shape of Alaska. He is wearing a white shirt with a dark graphic, Apple headphones, and a red and white braided bracelet. On the desk, there is a couple of notebooks, and red and blue pens. Light filters in behind him. Text fades in from the left, reading "Never share your uNID and password with anyone."
0:53: The video transitions to a black screen that shows icons and text on the common signs of phishing scams, including the "no" symbol and a tip that reads: "Common Phishing Scams." A pointer moves to reveal the following bullet points:
- "Unusual email language, poor spelling or grammar"
- "The URL doesn't match webpage"
1:02: The video then moves to into an example of a webpage in the Safari browser. The URL reads "www.TAKEALLYOURMONEYANDRUN.org," and the page imitates a University of Utah login screen. A browser tab in the background reads, "Funny Cats — YouTube." The video zooms in on the URL, which is highlighted with a white overlay while the rest of the screen is darkened by a black overlay.
1:05: The video returns to the bullet point list of common phishing scams. The next item reads, "When hovering over link, it doesn't match the promised content."
1:08: The screen transitions to an email client, which shows an example of an email. Highlighted is a link that reads, "here" but shows a URL to "http://takeallyourmoneyandrun.org."
1:11: The video transitions into a library, where an Asian man sits at a desk with his hands on the keyboard of the laptop open in front of him. He is wearing a checkered button-down shirt with the sleeves pushed up and a pair of glasses. His hair is black and a bit long around the ears, forehead, and back of the neck. A backpack or messenger bag is on the table next to his laptop, and a chair is open to his left. In the background, light filters in from large windows and two stacks/shelves hold numerous books.
1:15: The video zooms in on the Asian man and his laptop. On the screen, text reads "Guard your uNID and password like your Social Security number." Then video transitions into a montage of shots of people using open laptops. The first image shows a desk with an open laptop, which has multiple windows open. White hands barely touch the edge of the keyboard. Text fades in that reads "Change your password often." The second image shows a white man using the touch pad on his laptop to scroll. We only see his hands and the sleeves of his button-down shirt, which is white checkered with dark lines. The third image shows a white woman using a silver laptop. She faces us so we cannot see what is on the screen. She has long, brown hair and wears a dark T-shirt. To her right, another white person, who appears to be a woman, types on a laptop. This person is wearing a gray sweatshirt or hoodie. Text fades in that reads "Change your password and call the Campus Help Desk immediately." A phone number reading "801-581-4000" fades in.
1:25: The video transitions back to an outdoor space on campus with grass and trees. A man in a light blue-green shirt and dark pants walks left past our view. Another man, somewhat balding, walks right past our view. He wears a dark blue or black shirt with short sleeves and a collar, and jeans. The fisher is in the background, waving his fishing line.
1:29: The video returns to the fisher's desk, with a close-up on the Funko pop and comic book figurines. The figurines include Superman and a shark, but it's not clear which characters the others represent. The video zooms out so we can see the fisher sitting at the desk. He makes a fist with his right hand and pulls it downward in a motion that represents cha-ching, yes, score, gotcha, or a similar celebration. He throws his head back and laughs.
1:32: The screen goes black. The University Information Technology (UIT) logo (white text with a red Block U) and white text reading "it.utah.edu/" fade in, with the word "security" added shortly after to the end of the URL so it reads "it.utah.edu/security."
1:37: The screen changes to a white background with a gray gradient at the bottom that shows a mirror image of the red and black Imagine U logo in the center of the screen.
Phishing is becoming more and more popular.
We're talking about phishing with a "ph." Not the river-runs-through-it kind.
It's about cyber scammers, con artists, and thieves. Every day they're baiting and hooking personal information and gutting bank accounts. It's happening all around the nation and right here at the U.
Faculty, staff, and students are all vulnerable, and attacks are becoming more targeted.
Because some university personal information is readily available, scammers are often using it, along with emotional responses, to get you to act.
It's important to stay vigilant and know thieves are trying to land the big one.
You will never receive a threatening or intimidating email from any legitimate university source.
Don't take the bait. Never share your uNID and password with anyone. And look for the signs that are common in phishing scams. Things like:
- unusual email language or spelling or grammar
- the URL doesn't match the webpage
- when hovering over a link, it doesn't match the promised content
Here's what to do to stay protected:
- Guard your uNID and password like your Social Security number
- Change your passwords often
- Lock your screens when not in use or when you leave your desk
If you've been hooked, call the Campus Help Desk (801-581-4000, option 1) immediately.
Trust your gut. If it smells fishy, it probably is.
For more information, visit it.utah.edu.
Phishing is a scam designed to steal information or passwords, compromise devices, or trick you out of money. While we often think of phishing as being limited to emails, it can also take the form of deceptive text messages, posts on social media, pop-ups, or phone calls.
Phishers may ask for your name, account information, date of birth, Social Security number, address, etc. They may also try to get you to open a link or file. Hover or tab over any links to review specifically where you are being directed. If it's not legit, don't open it.
Types of phishing and phishing “hooks”
Phishing is a way criminals use social engineering to trick you into sharing private and confidential data, such as bank account numbers or login information. Criminals employ many methods, such as:
- Generic, everyday phishing is not targeted and tends to be easier to spot.
- Spear phishing
- Spear phishing is one of the most dangerous forms of phishing. The phisher targets a specific individual and studies them to be able to write a more convincing, legitimate-looking message to trick them into letting down their guard and share sensitive information.
- Also known as CEO fraud, whaling specifically targets CEOs and senior leadership.
- Shared document phishing
- You might receive an email that appears to come from file-sharing sites like UBox, Dropbox, Google Drive, or OneDrive alerting you that a document has been shared with you. The link provided in these emails will take you to a fake login page that mimics the real login page and will steal your account credentials.
Indicators that an email isn’t legitimate:
- The sender isn’t specified, isn’t someone you know, or doesn’t match the “from” address
- Unfamiliar, unusual, or generic greetings; it’s not addressed to you, specifically,
- [No greeting]
- Dear member
- Hello friend
- Spelling and grammar errors
- Suspicious links
- A link that doesn’t match the URL of the webpage stated in the email
- A link to pictures or videos from people you don’t personally know
- A link or attachment to view an unexpected e-card or track an unknown package
- Incorrect or suspicious file names
- Suspicious file extensions (e.g., *.bin, *.com, *.exe, *.html, *.pif, *.vbs, *.zip, *.zzx)
- Low-resolution images
Reputable organizations like the University of Utah will never email you for your password, Social Security number, or any confidential or personal information. Visit our Phish Tank to learn more about various phishing schemes and how to avoid them.
Employment scams occur when criminals create fake job listings or reach out to people directly to deceive them into believing that they are being offered a (potential) job and persuade them to provide personal information. Often, these job offers are enticing and offer a lot of money for little work.
Be skeptical and never provide personal information, such as your driver license information or Social Security number, over email or the phone without determining the employer's legitimacy. If it sounds too good to be true, it's most likely a scam.
Follow these tips to avoid employment scams:
- Never provide your Social Security number, driver license information, bank information, or other personal information over the phone or email.
- Be skeptical of jobs that offer a lot of money for little work.
- Never apply to a job that has been sent to you out of the blue.
- Never send or wire money to the “employer.” A legitimate employer will never ask you to do that.
- Don't agree to background checks with an employer you've never met in person.
- If you're still uncertain, determine the legitimacy of the job offer/listing by researching the employer. Contact the business/ organization to verify whether it’s hiring and whether the person who contacted you works there.
- Attackers will pretend they're someone real or even someone you know. If you receive a job offer from someone who seems legitimate, contact them through a known, trusted communication channel to verify whether it's really them.
- Never accept cashier's checks or money orders as payment. Your bank can hold you accountable for fake checks.
Beware of online romance scams that lure victims into an online relationship to get money. Reports by the FTC show that people lost about $304 million in romance scams in 2020. Romance scammers create fake profiles on social media and dating sites, and seek out victims by conversations, gifts, and declarations of love without meeting in person. Knowing that they have the victim's trust, they begin asking for money to pay for medical expenses, plane tickets, debts, etc. Often the scammers will ask their victims to pay them by wiring money or gift cards so they can receive the money quickly and anonymously, with these transactions being impossible to reverse.
Romance scams can be upsetting and embarrassing because an emotional attachment has been created with someone who doesn't exist. To protect yourself and your assets, look for red flags, and never send money or gifts to someone you haven't met in person.
Warning signs of a romance scam:
- The person professes their love quickly and lures you off the dating site to communicate with you through email or messaging apps, which allows them to communicate with multiple victims simultaneously.
- They can't meet in person or live video chat. Sometimes these scammers will send prerecorded videos, which are actually stolen.
- They ask for private information, such as financial information or even intimate photos, that they can later use as blackmail.
- They always have emergencies and ask you for money to help them financially. If they ask you for money, you should immediately be suspicious. Assume you'll never get your money back even if they promise to pay you back.
Steps to protect yourself and avoid being scammed:
- Take it slow and take time getting to know someone. A clear sign of a scammer is that they try to move the online romance as fast as possible.
- If they're communicating with you through email, check their email address through RomanceScams.org.
- If you're suspicious at any time while communicating with someone online, trust your gut and end all contact.
- Never transfer money to an online love interest. If you think you have sent money to a scammer, contact your bank right away.
Other examples of scams
Criminals are unfortunately all too creative in finding new ways to scam us. While it’s impossible to make a comprehensive list of all the scams out there, here are some of the more common ones you may encounter.
Many scams are financially motivated, and scammers will often ask for money via irreversible transaction types, such as money orders, gift cards, or cryptocurrency transfers. Some finance-based scams include:
- Fake charities/disaster fraud: Scammers will create a fake charity looking for donations for good causes or to provide relief to survivors of high-profile natural disasters or tragedies.
- IRS/tax fraud: Someone pretending to be from the IRS contacts you regarding your taxes. They may
say you owe late fees or that they need to recalculate your tax refund. They may ask
you for money and/or confidential information, such as your Social Security, bank
account, or driver license numbers, etc.
- If you suspect you’ve received a fake IRS email or phone call, or that you have been a victim of tax fraud, visit IRS Report Phishing and Online Scams for next steps.
- Nigerian prince scams: Also called 419 scams, a scammer pretends to be someone needing help moving money out of the country. They promise you money in return for your help but need you to cover some transaction fees in advance.
Health care scams
Scammers know how expensive health insurance can be and have learned how easy it is to prey on our anxiety for affordable health care. They claim to offer major savings on health insurance while trying to get their hands on our current health insurance information, Social Security numbers, and financial information.
Identity theft, a classic scam, is where a hacker uses private information, such as your Social Security number or bank account information to obtain money, credit, or other resources. Signs of identity theft include bills for products or services you didn’t purchase, unauthorized withdrawals from your bank account, and an unexpectedly low credit score. Report suspicious activity as soon as possible to limit the damage caused by a potential theft of your identity.
Attackers pose as someone in authority, or an IT representative, to obtain information or direct access to systems. Impersonation is often used in social engineering attacks. Attackers may research their target to know enough to persuade you to trust them. Examples include:
- An IRS scam that targets students.
- The “Microsoft computer support” scam. Someone supposedly from the Microsoft or Windows Support Center calls to tell you there's a problem with your computer or that someone's trying to hack in. These scammers usually have you run some simple commands then ask you to install something that will allow them to “fix the problem.” They also might send you an attachment or a link or read you a URL. Following the instructions will give them full access to your computer.
Scams that lock your device and demand you pay money to unlock it. Examples include:
- A pop-up that tells you there is a problem with your device. The pop-up offers free or cheap antivirus software to fix the problem. Once you install the fake antivirus program, it locks your device and you must pay the scammer to unlock it.
- A pop-up that prompts you to sign in with your Windows account or email for “Windows” to fix the problem. After you sign in, the program locks your browser. To unlock it, you must buy antivirus software for $200 or $300. This is a double-whammy because you also give the attacker your credit card information.