Social Engineering

Social engineering takes place when the bad actors trick the victim into releasing confidential information. These incidents happen due to human oversight which proves that human beings are probably the weakest links when it comes to cybersecurity.

The perpetrators use different methods to gain access to the confidential information. For example, they engage in vishing which is using the telephone system to collect intelligence on the target. In some cases, they use VoIP systems to accomplish their goals. The perpetrators engage in phishing which is done by sending a fraudulent email that seems to be valid and requesting the user to click on the link to validate or update information. They may send an email that’s marked as “urgent” and ask for the recipient to open the attachment (e.g.,, PDF.rar). If the victim clicks on the link, then there is a high probability that he/she has downloaded and installed ransomware which will lock the entire hard drive. The perpetrators engage in smishing which is done by sending text messages to entice the victims to click on a link and to divulge information. Finally, the perpetrators engage in impersonation by pretending to be someone else with the objective to gain access to a protected system or location.

So, the perpetrators have several options to use and extract valuable information from their victims. They may bait the victims by tricking them into believing an untrue situation – e.g., leave a Flash Drive on a desk that is marked as “confidential” and wait for the victim to insert it into his/her computer. Once the Flash Drive is inserted, then it will unload the malware onto the victim’s computer and allow access to confidential files. The perpetrator may hack into the victim’s computer and send emails to his/her friends. The email’s subject may be “Please Click On This Cool Link.” Hence, unbeknownst to the victim, he/she will click on the link and download the malware. Thereafter, the perpetrator can hack into the computer system and extract valuable information. The fraudster may also contact the victim by telephone and pretend to be a well-known company’s IT Support Team. Then, he will ask the victim to provide the computer’s login credentials which allows him/her to gain access to private information and commit identity theft.

There have been several laws proposed to fight against social engineering. For example, the Anti-Phishing Act of 2005 was supposed to amend the Federal criminal code and prohibit internet scams that involve the act of fraudulently obtaining confidential information. However, it was never enacted into law. Other federal statutes that may be applicable are the CAN SPAM Act and 18 U.S.C. § 1028 but they do not specifically mention social engineering. In California, Business and Professions Code §§ 22948 et seq. is the applicable statute which prohibits certain acts by stating that:

It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.

This state law allows the victim to file a lawsuit and seek legal and equitable damages from the defendant. It allows the victim to seek monetary damages up to $500,000.

Finally, the Federal Trade Commission has an informative website that outlines how to recognize and avoid phishing scams. It provides the following steps: (1) use security software; (2) preset automatic updates; (3) use multifactor authentication; and (4) regularly backup your electronic devices to an external hard drive or cloud. Please contact our law firm if you would like to speak with a qualified attorney.