Three Types of Diabolical Social Engineering Scams

We hear about it all the time: poor souls bilked out of their life savings because they fell victim to some online scam. We hear about it, but usually we dismiss it because we think we’re immune to scams. We know all about those emails from rich Ethiopians who need to deposit some funds in our account. We would never fall for something so ridiculous.

The thing is, scams get more sophisticated every day. Many now employ something known as “social engineering.” Basically that means they use psychology to predict how you’ll behave in certain social situations and then use those predictions to set you up for a big fall. Pretty sophisticated. Sophisticated enough that, according to the FBI, over 300,000 Americans fall victim to such scams each year at a cost of some $45 million.1

Want to know more? We have all the details on three truly diabolical social engineering scams, including who got scammed and exactly how it happened. More importantly, we also have some useful tips on how to avoid such scams. No matter who you are, unless you are always on your guard, you can fall victim to these kinds of scams.

The Three Most Diabolical Engineering Scams

Abraham Lincoln famously said, “You can fool all the people some of the time and you can fool some of the people all the time, but you can’t fool all the people all the time.” Maybe. But Lincoln never came across these three scams, all of which employ diabolical social engineering tactics to fool people into giving up millions of dollars.

The Google Docs Scam

Let’s start with a scam still being used by identity thieves all over the web that we should all continue to watch out for. Like all social engineering scams, it relies on our normal, everyday behaviors to trip us up.

Here’s how it works: You go into the office one day, open your computer, and find an email from some policy journal or think tank — one you immediately recognize as prestigious. The email asks you to contribute your opinion to a document they’re putting together on immigration, or food preservatives, or the rising price of eggs. All you have to do is click a link to a Google doc and type in your blurb. You’re flattered to be asked, and it makes you feel important. Maybe there are already blurbs from some of your colleagues, and you don’t want to miss out on the recognition they’re getting. Because you’re being sent a Google doc, the email itself comes from Google, and that seems legit.

On the Google doc itself, you notice a link or two to some enticing story related to the subject. Maybe one of your colleagues posted a link to a story they wrote. Intrigued, you click the link — and presto, your device is suddenly inundated with adware, spyware, or worse. The beauty of the scam is that your blurb — which, like other parts of this scam, is genuine — can then be used to lure the next victim.

The Google Doc scam works like a lot of scams — by relying on our desire to be seen as important. In addition, it offers lots of reasons to trust the source. Combine those two elements, and you have a scam that’s difficult to resist.

The Deepfake Energy Scam

Here’s another, more famous, example of a social engineering scam. This one happened in March 2020, and it, too, is ultimately all about trust.

The CEO of a major U.K. energy company received a call from his boss, the CEO of his company’s parent company. The boss told the CEO he needed to transfer $243,000 from one company account into another. The request was urgent, and what business executive is going to tell his boss no? Turns out, the voice was generated by sophisticated AI software — an example of what’s known as a “deepfake.” Deepfakes rely on the latest technology to create images, videos, and audio that are indistinguishable from the real thing. The scammers also used spoofing software to make it appear that the phone call came from the boss, so you can understand why even someone as educated and savvy as a CEO may fall for this scam.

In the end, this one wasn’t just about the willingness to trust a recognizable source. It was about the fear of not trusting that recognizable source. Fear can be a powerful motivator.

The Twitter Celebrity Scam

One of the most popular scams in recent years takes advantage of our natural desire to help others. Some unspeakable tragedy happens — an earthquake in Indonesia, say, or a typhoon in Japan — and we want to reach out to victims to help, even if only in some small way. So when we’re asked to donate to relief efforts, we’re eager to help. Often, though, we discover later that the fund we’ve donated to is completely bogus. Whoever went to the trouble of setting it up makes off with millions. It’s not just a diabolical scam; it’s despicable.

The Twitter celebrity scam in July 2020 was even more insidious because it relied on our willingness to trust the powerful and famous. In this case, the thieves went to the trouble of hacking into several of the most famous Twitter accounts — 130 in all — including Joe Biden, Elon Musk, Bill Gates, and Barack Obama. The hackers then sent tweets from the accounts asking other Twitter users to “give back,” and, as an added incentive, promising to match and even double every donation that came in.

The scam relied on our willingness to trust certain individuals and institutions, but also took advantage of our sympathy for others and our desire to be better people.

Tips for Avoiding Social Engineering Scams

If you keep in mind how social engineering scams work, you can probably work out some ways to avoid them.

• Install strong antivirus software, and keep it up to date. If you’re tricked into clicking on a piece of malware, your antivirus should be able to stop it before it gets started.
• Don’t open emails or texts from suspicious sources. Taking this precaution may not protect you from a deepfake scam, but it can keep you from falling victim to less sophisticated attacks.
• Use multifactor authentication when you can. Multifactor authentication requires you to submit different kinds of ID to prove you are who you say you are and that others are who they say they are. Maybe a scammer has the technology to create a deepfake voice, but can they supply a password or fingerprint as well? Probably not.
• Don’t post information about yourself online. You’re probably smart enough not to post credit card numbers, bank account information, or passwords online. Scammers, however, can use even the most innocuous-seeming details about you to create a social engineering scam. Post on social media that you’re heading on vacation, and you’re inviting a potential scammer to call you pretending to be the police and claiming you’ve had a break-in. At that point, you are vulnerable to all sorts of scams.
• Most importantly, cultivate a skeptical mindset. These days, you just can’t trust anyone or anything you encounter online. Any offer that seems too good to be true probably is. Anyone who seems too friendly probably has an agenda. When you’re online, you have to be cautious — even of people you may otherwise trust. You just never know when someone isn’t who they claim to be.

Recap

What have you learned from this list of diabolical social engineering scams? You’ve learned three scams to avoid, but hopefully you’ve also learned something deeper: It’s not always as easy to spot scams as you may think.

Scammers spend all their time coming up with new ideas, so you’ll have to exercise a little caution if you’re going to keep up with them. You’ll have to keep your antivirus on all the time, invest in identity theft protection, and install a VPN. You can be safe online, but online security doesn’t just happen. You have to do your part.