Ignore These E-mails!

Anatomy of a Social Engineering Scam

By Robert E. Holtfreter

bob-holtfreter-50x50.jpg   Taking Back The ID 

In my last column, I wrote about an actual phishing case involving a parent, Laura, of one of my wife’s students. Laura got caught up in a relatively new social engineering scam in which her e-mail contact list was hijacked and used to try to extract money from her friends and others. The Internet Crime Center (IC3) alerted the public about this serious fraud with the following Intelligence Note (“Claims of Being Stranded Swindles Consumers Out of Dollars”) on July 2, 2010: 

The IC3 continues to receive reports of individuals’ e-mail or social networking accounts being compromised and used in a social engineering scam to swindle consumers out of thousands of dollars. Portraying to be the victim, the hacker uses the victim’s account to send a notice to their contacts. The notice claims the victim is in immediate need of money due to being robbed of their credit cards, passport, money, and cell phone; leaving them stranded in London or some other location. Some claim they only have a few days to pay their hotel bill and promise to reimburse upon their return home. A sense of urgency to help their friend/contact may cause the recipient to fail to validate the claim, increasing the likelihood of them falling for this scam. If you receive a similar notice and are not sure it is a scam, you should always verify the information before sending any money.
I wanted to learn how this scheme occurs from start to finish. So I asked Laura to give me the details of how the fraudster stole her e-mail contact list. She sent me the e-mail correspondence between the fraudster and her, and between Laura and one of her friends, plus details of the scam. My thanks to Laura for sharing this information.

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.