Social Engineering

I've long been interested in the social engineering techniques used by virus authors to get people to open attachments. The mother's day bill for the pearl necklace was brilliant, as was the one urging users to open the attachment to protect them from viruses.

Phishing is really starting to scare me, the phishers are getting better and better. I am very concerned about my family and other non-geeks out there[1]. Take for example this one I just received:

First is the obvious trick that they include tips on how to protect your account info on the right, such as how paypal will never ask you to enter your password in an email (after all, it's not in an email even in this case). They also have a link to the securitytips on Paypal's site, but it isn't an easily clickable hyperlink. If you were to type in that URL manually, you would see the following in Paypal's tips:

Look for a PayPal Greeting: PayPal will never send an email with the greeting "Dear PayPal User" or "Dear PayPal Member". Real PayPal emails will address you by your first and last name or the business name associated with your PayPal account.

Type in the PayPal URL: To safely and securely access the PayPal website or your PayPal account, open a new web browser (e.g., Internet Explorer or Netscape) and type in the following:

[1] Or, I must admit, anyone at all who's had a long day and isn't paying attention. I almost got snagged by a phisher a few weeks ago. It was the end of a long week and a long day and I was exhausted. I had recently made a change to my paypal account and got a phishing email that same day saying they had some problems with my account, could I pretty please log in to the website to update my data? Fortunately I snapped out of my fog before doing anything dangerous, but the experience really made me nervous for the safety of my family's data online.

Comments (3)

  1. Emil Wisekal says:

    A year ago, I cancelled my PayPal account within a week of receiving several of these bogus e-mails. I feared, in a moment of unclear thinking, that I might be duped into believing a future request.

    I immediately contacted PayPal customer service by e-mail and told them about the clever bogus messages. I never heard back from PayPal, one way or another. That made my decision easy: if they would not respond before fraudulant activity took place, would they be any more responsive AFTER it took place? I wasn’t going to stick around and find out!

  2. Emil Wisekal says:

    Oh, I just remembered, I’d like to know if you would invite me to join orkut.

    At the risk of inviting SPAM, which I hate second only to … no, I think its at the top of my list – here is my e-mail address: I would have written that to you in private but I could not find your e-mail address on-line.

    Thank you.

  3. Peter Torr says:

    It used to be that the e-mails were all poorly-worded, "obvious" fakes. But they are indeed getting quite clever. For the time being, I would say that any e-mail with a generic "Dear XYZ Customer" title is a fake… but sooner or later they’ll figure that one out, too (by looking up your e-mail address in a customer database stolen from some other website that has your real name in it).

    I recommend everyone runs Outlook in Plain Text mode!

    Tools -> Options -> Email Options -> Read all mail in plain text

    Then you can say the dotted IP addresses instead of the fake address.

Skip to main content