In my last article I talked about how you can use social engineering for your benefit. But the reverse is true too, someone can use social engineering on you, to their benefit, with you in the dark. In fact, odds are good that at one point someone has attempted to use social engineering techniques on you. In bad situations, this can cause you to lose your money or job. If you haven’t read the first article, I highly suggest you do so as knowing what sort of techniques are used is important to recognize them and keep yourself from being a victim.
Deep web scams
As a buyer on the deep web marketplaces, it can be hard to determine which vendors are legitimate even if the market itself is. Selective scammers are everywhere and can sometimes be hard to catch. Best way to keep yourself safe is use one account so that you have a history. New accounts are easier for vendors to scam because the vendor can say they shipped the product or ship an empty box in order to have a tracking number to provide to the market support. As a buyer with history, you have evidence to backup your claim.
If you are looking for a new vendor always check on the marketplace forum (which most markets have) or on Dread which is where many people from reddit’s now defunct darknetmarkets subreddit go. When looking at reviews see if the poster is a new account or has history. Older accounts with other posts are usually more reliable. A new account with very little post history can be a vendor shill account.
One of the first widely publicized social engineering email scams is the classic Nigerian Prince email. Where someone claiming to be a Nigerian Prince emails someone saying they need a moderate payment in order to access their funds and that they will reward the victim greatly for helping him out. This is a pretty obvious one and there’s not many that would fall for this. But these types of emails have changed and some are hard to notice. Recent ones would be an email about an airline ticket you didn’t purchase or a contest you did not enter, but somehow won. Both require clicking on a link and can be very convincing especially if you travel a lot or enter online contests. As soon as you click that link, your computer can be infected with a virus that steals log in credentials and you wake up the next day with an empty bank account. Always make sure that the sender of the email is legitimate. Never click links in an email. Google the link instead. Your online security is extremely important. A good read on some security tutorials: http://deepdot35wvmeyd5.onion/security-tutorials/.
Phone scams are common too. Many people are taken by phone calls from the IRS saying they owe a large amount of money but it can go away with a small percentage of that paid at the moment. Or a relative in urgent need of funds because they got arrested or are in some sort of trouble. The IRS never calls to collect money and always makes sure you know exactly who it is you’re talking to on the phone if they are asking for money. You can always hang up and call them (since caller ID can be spoofed) so that you are sure it’s the right number and person.
In person social engineering attempts
Many companies and buildings have private information that is valuable to competitors or hackers looking to make a buck. The best advice is don’t be the nice guy. In the last article I talked about reciprocation and how if you do a kind gesture for someone, they will feel obligated to reciprocate. Do not ever do something for someone you do not know because of social pressure. When handing out access always make sure you verify the identity of the other person especially if it’s on the phone, such as an in office call from “IT”. If a new face is asking for something, verify either by a badge, or by asking simple questions about the company only an actual employee would know, etc before handing out access. The simplest way this can be summed up is, always be suspicious of others intentions.