One of the most dangerous forms of social engineering tricks we have found are often the smallest and simplest types of emails. They come from criminal gangs who are trying to install malware onto your computer to take control of it in some fashion. In order to do that they must first convince you to click an attached file (or a link) that will open the door for them to your computer.
As related to scams, this term refers to the behavioral manipulation of a potential victim by a scammer. Typical forms of online social engineering by scammers are to trick someone into clicking a link, downloading a file or visiting a malicious website.
These small and simple emails are meant to arouse your curiosity and commonly have an informal nature as if someone is speaking to you like they know you. And while many savvy people know there are significant risks to downloading zip’d files or “.exe” files (though some don’t!), most people don’t realize that simple Word and Excel docs, or even pdf files can contain malicious code.
Check out each of these samples and ask yourself if you would have been curious enough to click on the attachments.
1. Subject: Payment
“Any chance of getting this invoice paid, please?”
2. Subject: RE: contract questions
“I’ve been reading our contract , and I have a few questions.”
3. Subject: DHL Tracking Number: 2561991784
“Dear Consignee, We have successfully received a parcel send you from your business partner.”
In case some of our readers had doubts about the threat that can be carried in a pdf file, we downloaded the attached file and asked VirusTotal.com to review it. Look below at the threat score.
4. Subject: New Doc 86
“Sent from Yahoo Mail on Android”
5. Subject: hi (username)
“really you can make a change…”
This scam contains a shortened URL rather than an attached file. The person clicking has no idea where that URL will lead to unless they know how to unshorten it before they click it.
6. Subject: Your electricity bill -649$
(No text in email; just an attachment.)
Bottom line…. Don’t let your curiosity get the better of you. And if you feel ABSOLUTELY compelled to download the file, at least visit VirusTotal.com and upload the file for them to review it.