Chapter 3 - Crime Areas

3.6 Crimes relating to social engineering - Overview

Social engineering refers to a set of offline and online methods and techniques that aim to manipulate a victim into voluntarily releasing sensitive information or into transferring money. Social engineering is used because people are often the weakest link in system security and the associated costs of such an attack are often significantly smaller compared to attacks on computers and networks [90].

Online social engineering often uses spam and phishing techniques. Since there are almost no costs attached to attempts, the majority of these attacks are distributed en masse to get as many responses as possible. Some attacks are targeted, however Spear Phishing or Whaling targets high-profile individuals or members of a certain group such as employees of financial institutions.


Spam uses a variety of communication vectors such as e-mail, social networks, messengers, blogs, forums, comments, autodiallers or SMS messages. Scammers use a number of schemes to get access to the victim’s data and wallet, with most of these falling into the following categories:


Scam Type

Modus Operandi


Advance fee

Pay money to get money

e.g. Nigerian letters, lottery, inheritance…


Buy fake-/-non-existent goods, often medication


Send money to cover medical care, flights or visa


Invest into non-existent/fraudulently valued companies and pump and dump schemes


Pay upfront administration fees for a falsely promised service and/or become a money mule

Friend in need

Send money to a friend in need whose email, twitter or social network account has been hacked


Contribution to an unregistered charity




Disclose exploitable information, such as credentials e.g. banking scam, tax scam, raffles


Malicious website or application

Click the malicious link. A friend’s message, adult content, fake virus alerts and breaking news are particularly effective to attract victims’ attention

While the core mechanic of these scams remains consistent, the modus operandi follows the latest technological trends, such as cryptocurrency transactions.

In 2013, cybercriminals distributed spam leading to a fake Mt. Gox [91] website where they captured login credentials and requested transfers to their Bitcoin wallet [92].

The total daily volume of spam in 2014 is approximately 80 billion messages [93]. However, not all spam reaches its destination. Throughout 2013, roughly 70% of the spam was automatically filtered out [94] utilising methods such as machine learning and crowdsourcing - using feedback from users to flag spam. The share of blocked emails decreased from almost 90% in 2010 [95] mainly due to spam moving to different platforms and botnet takedowns.


The majority of phishing incidents start with potential victims receiving spam, luring them to websites attempting to elicit login credentials and other sensitive data from them, or hosting exploits designed to compromise the visitor’s computer system.

A victim’s account details were obtained by phishing emails and sold to a UK suspect for GBP 3,200. Subsequently, over GBP 1 million was stolen from the account in a case that stretched from South Africa to the UK and involved Egyptian and Nigerian nationals.

A number of phishing variants have developed to exploit different communication technologies. These target victims through automated redirects to a bogus website (pharming), SMS (smishing) or phone or VoIP (vishing). Vishing was used to contact victims in the so-called tech support scam, where scammers pretend to be engineers from a software company. A survey of 7000 computer users in the UK, Ireland, US and Canada revealed that 15% of respondents were contacted by the scammers. Of these, 22% handed over credentials needed for a remote connection [96]. In 2013, the scammers replicated the fraud on the Mac platform and at the beginning of 2014, they began targeting Android users [97].

Many cyber attacks cannot be easily categorised as pure malware compromises, hacking, man-in-the middle attacks or social engineering, as typical incidents may involve a combination of these methods. When criminals are able to exploit a victim’s identity and data in both the physical and online world, they can maximise both the effectiveness of the crime and the impact on the victim.

Facilitators and relevant factors

Entry into phishing is facilitated by the Crime-as-a-Service model. On online forums, offenders can get everything they need to carry out attacks – tutorials, support, tools, templates and even large, sorted datasets of prospective victims. Offenders conducting the more sophisticated attacks often use tools purchased from more technically skilled offenders and may return to the forums to sell harvested data to other offenders for exploitation.

Offenders go to great lengths to make their scam appear legitimate and many scams occur as a result of scanning social networks and other open source data.

In Switzerland, scammers used publicly available data provided by a commercial registry to establish bogus websites for companies with no website of their own. They chose domain names similar to that of the company and made their website appear legitimate and trustworthy for unsuspecting visitors.

Many spam and phishing attacks use URL shorteners, allowing attackers to hide malicious links behind them [98]. This technique emerged over five years ago and has since been used for both genuine as well as nefarious purposes.

In 2013, approximately 76% of spam was sent from botnets [99]. These provide criminals with monetisation opportunities as well as spreading the malware, fuelling the future growth of the botnet. Attackers may also use the infected bots as SMTP servers and channel spam through these. The main benefit is bandwidth and the large number of different network identities which prevents the spam messages from being easily filtered and/or traced.

Spam and phishing are dependent on the availability of contact details and other personal data. The supply of these is bound to increase due to the number of large scale data breaches in companies holding huge volumes of consumer data.

The growth of the internet gave rise to data brokers, companies competing in a multi-billion euro industry hidden from the view of those whose data is traded. They collect personally identifiable information including online searches, shopping patterns and health statuses, building up a database of consumer demographics which is later sold, often for marketing purposes. Hence it is possible to foresee abuse of this data for spam or phishing [100].


Despite the publicity generated by certain scams and prevention campaigns, the number of victims falling for phishing has increased across Europe. Particularly affected are elderly people who lack internet skills and who are generally more trusting and respectful of official-looking material [101] than younger generations.

Although there is no hard evidence relating to the prevalence of repeat victimisation for cybercrime, many victims falling for scams are likely to be targeted by the criminals again - a concept known as a double-dip scam. For example, the victim may get an offer to recover the lost money in exchange for a fee.

Some organisations will be a target regardless of what they do, but most become a target because of what they do [102]. Major national or international financial institutions and payment services are frequently singled out and accounted for 78.2% of phishing attacks at the end of 2013 [103].