Skip to page content

Identifying Social Engineering

Social engineering, with respect to the web, is the psychological manipulation of web maintainers (or content owners) to perform certain actions, such as selecting links in emails and adding those links to websites. Done in a black hat manner, this can have adverse affects for you, the University, and/or the visitors to your website.

Tips to Avoid Being Socially Engineered

These are some of the steps you should take to avoid selecting links in emails or posting those links or link badges onto your website. Real email examples (information redacted to protect identities) below these will help you identify some of the more complex issues.

  • Check the email address
    • Legitimate company or firm?
    • Words spelled correctly?
    • Word spelled slightly off or extra punctuation added to what would normally be a legitimate company or firm?
  • Check proper email writing
    • Check spelling
    • Check grammar
    • Check punctuation (or missing punctuation)
  • Check for an emotional plea
    • Are they trying to convince you to do something in a short time frame, due to some determined urgency?
    • Are they insisting that you respond to an email they've sent you before?
    • Are they using reverse psychology?
    • Are they pleading to your humanity?
  • Check how they found you and how relevant you are to the link exchange they are requesting
    • Keywords randomly found on your page?
    • Do you have a resource page with your email address on it?
  • Check the links from a search engine instead of the email
    • Are ranking websites appearing on first page results based on name only?
  • Check their methodology for scientific weights and measurements
    • What is their scope?
    • What are their criteria?
    • Where (sources) do they collect their information?
    • Is their information even accurate?
    • How do they calculate the results?
    • How do they weigh their results?

If you do find an email that looks like social engineering, go ahead an delete it. If you think it may be legitimate, forward it to Web Services, and we'll investigate it for you. If you have any other questions about social engineering, in general, you can contact Tarleton's Information Security Officer, Marilyn Meador.

Email Example #1: The Subject Matter Doesn't Matter

Subject Line: (empty)
Hi there,

I hope Monday is treating you well? I was just browsing and came across your site. I was wondering if I could offer a couple of suggestions.

As a mother, child safety is very important to me.

Here is a couple of guides I consider to be of great help. Would you consider adding them to your resources page? I think it covers a lot so I’m sure your readers would find them a worth-while read.

1) [Random keyword related link]
2) [Random keyword related link]
3) [Random keyword related link]

And this was the page is was referring to: [Completely unrelated webpage (music education resources page) on our website that uses related keywords on education and children and contains lots of resource links].

Either way, I liked your site, keep it up

Kind regards,
[A robot scanning our website]
Text from Real Email Social Engineering Observations
Subject Line: (empty) Blank subject lines pique curiosity. Opening an email is mostly harmless on its own, as long as you don’t open files or select links from the email message.
Hi there, Not to say that websites always have names in the contact information, but keep that in mind when looking at greetings to see if they even know who you are.
I hope Monday is treating you well? I was just browsing and came across your site. I was wondering if I could offer a couple of suggestions. There is nothing wrong with website feedback, so they know you will read on assuming this is a human with some genuine concerns.
As a mother, child safety is very important to me. Until you read down regarding which webpage this refers to, you are likely confused as to why this topic is being mentioned to you. Since we are in education, child safety certainly seems appropriate, so maybe something happened on campus? This is the emotional plea. Curiosity is piqued further.
Here is a couple of guides I consider to be of great help. Would you consider adding them to your resources page? I think it covers a lot so I’m sure your readers would find them a worth-while read. You can’t fully identify the mother or her likelihood to use proper grammar and punctuation, but the real warning bells should ring when you are requested to add anything to “your resources page”, assuming it is a page of resources they are referencing further down the email.
1) [Random keyword related link]
2) [Random keyword related link]
3) [Random keyword related link]

And this was the page is was referring to: [Completely unrelated webpage (music education resources page) on our website that uses related keywords on education and children and contains lots of resource links].
After looking at the topics on the links, which are redacted in this example for security purposes, and comparing them to the referenced page, you will typically notice they are barely related. In this case, the referenced page was on a Music Education website with resources on educating children. The focus was entirely on music, not safety, so the keywords “education” and “children” were picked up by the robot, along with the fact that the referenced page included a lot of external links and mentioned being a “resource”. (Note: Due to the extreme number of times this very page on social engineering in emails includes the word "resources", it is a prime target for these robots to scan and send emails regarding resources to include on this page.)
Either way, I liked your site, keep it up Reverse psychology to make you feel like you still should add the resource links even though you were told you don’t have to, along with a final cheer for your great efforts on the resources page. Additional improper sentence structure and poor punctuation. Note this is typically an issue with foreign scam artists trying to translate their message into English.
Kind regards,
[A robot scanning our website]
n/a

Email Example #2: The Emotional Plea with Urgency

Subject Line: Astronomy info from retired teacher and students:)
Hi there,

My name's [a robot scanning our website] and I'm a tutor at the local middle school. The kids that I mentor wanted me to email you and let you know that they think your page, on space is very helpful! We have been learning all about astronomy, since a parent donated an amazing telescope to the school. http://www.tarleton.edu/Costweb/sps

As a thank you they wanted me to reach out to you and give you another great resource they have been using and have found helpful [Random astronomy keyword related link]

This group of kids really are wonderful and have come a long way in learning, they were hoping you would add the above link to your page, and because of their hard work, I told them they could have a surprise pizza party this Friday ;)

Let me know if this is something you would be interested in adding to your page!

Thanks,
[A robot scanning our website]
Text from Real Email Social Engineering Observations
Subject Line: Astronomy info from retired teacher and students:) This email appears to have come from a human because the subject line of the message contains an emoticon for a smiley face. It is intentionally the first thing to disarm you, since it seems like a genuinely nice person sending the email. It also seems related to the content, so you are inclined to open and read it, which is harmless on its own.
Hi there, Not to say that websites always have names in the contact information but keep that in mind when looking at greetings to see if they even know who you are.
My name's [a robot scanning our website] and I'm a tutor at the local middle school. They’ve identified themselves as someone who is intelligent enough (and has many years of experience) to write using proper sentence structure, grammar, punctuation, etc., so see if they act the way they claim.
The kids that I mentor wanted me to email you and let you know that they think your page, on space is very helpful! We have been learning all about astronomy, since a parent donated an amazing telescope to the school. http://www.tarleton.edu/Costweb/sps Not sure why a comma is between “page” and “on”, but it may be a harmless copy/paste issue. Note such things if they are constant. The link is presented next. Even though it is one of Tarleton's webpages, do not select the link. It may have additional code connected to it, so just type in the Tarleton address in your own web browser to see what they are referencing.
As a thank you they wanted me to reach out to you and give you another great resource they have been using and have found helpful [Random astronomy keyword related link] This is where warning bells should ring. If you look at the link text, which is redacted in this example for security purposes, note if the content is relevant to the webpage they referenced. More times than not, it is just a keyword a robot randomly found on your webpage. If you look at the Tarleton's Society of Physics Students website they refer to this time, it does look like they hit an appropriate webpage on our website with the resources links about astronomy, though that is only one topic in physics, if you look at the entire listing of resources there. It seems suspicious at this point, but they are hoping your resource page will take another link.
This group of kids really are wonderful and have come a long way in learning, they were hoping you would add the above link to your page, and because of their hard work, I told them they could have a surprise pizza party this Friday ;) This is the second round of emotional manipulation, the plea to add their potentially harmful link to your website. They also encourage urgency, since they will have a “surprise pizza party this Friday,” but take a further look at that phrase. It isn’t a surprise if they already told the students. And how is finding one resource page (ours) over another resource page (the one they want us to include) worthy of such a celebration in middle school? There are resources on astronomy all over the internet, including far more influential and knowledgeable entities (e.g. NASA). This poor logic identifies an attempt at lying. Note again the improper punctuation, run-on sentence, and emotional plug of the third smiley face emoticon.
Let me know if this is something you would be interested in adding to your page! Absolutely never respond to suspicious emails, even if you want to get rid of them by telling them to stop emailing you. Identifying your email as being active informs the robot to add you to a database for further communication, just not from this supposed sender (bad actor).
Thanks,
[A robot scanning our website]
n/a

Email Example #3: The Popularity Vote-Based Methodology for Ranking Website

Subject Line: Spring 2015 [Graduate Program We Have] Rankings announced!
[Website collecting user information to sell to third-parties] is pleased to announce its Spring 2015 [Graduate Program We Have] according to students, enumerating the best graduate programs in the country based solely on ratings and reviews from current or recent graduate students posted on [website collecting user information to sell to third-parties].

Program rankings, compiled using data gathered between September 1, 2012 and March 31, 2015, encompass reviews posted by more than 70,000 students participating in over 1,600 graduate programs nationwide. Ratings are based on a 10 star system (with 1 being the worst and 10 being the best).

For a copy of our Top Rankings Badge & Seal, please click on the link.

For the rankings page, please click [Graduate Program We Have] Rankings

The [Top Graduate Program We Have] are listed below:

[1 - 7 removed]
8 Tarleton State University
[9 - 25 removed]

METHODOLOGY
[Website collecting user information to sell to third-parties] reaches current and recent graduate students through scholarship entries as well as social media platforms.

[Website collecting user information to sell to third-parties] assigns 15 ranking categories to each graduate program at each graduate school. Rankings cover a variety of student topics such as academic competitiveness, career support, financial aid and quality of network.

For a given graduate program, rankings are determined by calculating the average score for each program based on the 15 ranking categories. These scores are then compared across all ranked schools for that program and are translated into a final ranking for that graduate program, i.e., “business and management”. A given graduate program is not ranked until a minimum threshold of graduate student surveys is completed for that program

[Contact information for a robot scanning our website]
Text from Real Email Social Engineering Observations
Subject Line: Spring 2015 [Graduate Program We Have] Rankings announced! n/a
[Website collecting user information to sell to third-parties] is pleased to announce its Spring 2015 [Graduate Program We Have]  They want to convince you right away that they are offering you a good deal: a degree program ranking that looks really good for you.
according to students, enumerating the best graduate programs in the country based solely on ratings and reviews from current or recent graduate students posted on [website collecting user information to sell to third-parties]. A warning bell should have wrung just on the phrase “solely on ratings and reviews”, but unless you do a deep dive to investigate their rating system, you may not realize this is defined as a popularity vote based on random users creating accounts in this system. Creating user accounts puts their personal information potentially into third-party hands. Once you see your rank, it can also convince you to encourage others to submit their personal information, so they can raise our university’s rank in the popularity vote.
Program rankings, compiled using data gathered between September 1, 2012 and March 31, 2015, encompass reviews posted by more than 70,000 students participating in over 1,600 graduate programs nationwide. Given 15-20 million people were college students and about 66.9 million people had a minimum of a 4 year degree in the U.S. during that time period, 70 thousand respondents is rather low (deep dive investigation showed this is not a fair cross-section of graduates on each campus). It seems to indicate an upstart website that is desperately trying to add more users to their personal information database.
Ratings are based on a 10 star system (with 1 being the worst and 10 being the best). n/a
For a copy of our Top Rankings Badge & Seal, please click on the link.
For the rankings page, please click [Graduate Program We Have] Rankings
They hope you were sold here on how well your program was doing that you won’t investigate any further, and just grab an image and post their link. But they know better than to stop here to seal the deal.
The [Top Graduate Program We Have] are listed below:

[1 - 7 removed]
8 Tarleton State University
[9 - 25 removed]
To set up the Methodology described below, upon deep dive investigation, university report cards are focused heavily on the stars given to each university (60% of the page’s real estate on this alone), but a closer inspection showed how many had actually voted to make Tarleton #8: 7 respondents. No names could be identified as legitimate Tarleton students, since they were aliases. The #1 ranking university had 29 respondents. The #2 ranking university had only 1 respondent.
METHODOLOGY
[Website collecting user information to sell to third-parties] reaches current and recent graduate students through scholarship entries as well as social media platforms.
Admitting to where they attempt to socially engineer you to compete for rankings by creating user accounts and giving your personal data to third-parties. Fake ranking websites and scholarship applications are huge social engineering schemes aimed at higher education officials, along with "resource" links.
[Website collecting user information to sell to third-parties] assigns 15 ranking categories to each graduate program at each graduate school. Rankings cover a variety of student topics such as academic competitiveness, career support, financial aid and quality of network.
For a given graduate program, rankings are determined by calculating the average score for each program based on the 15 ranking categories. These scores are then compared across all ranked schools for that program and are translated into a final ranking for that graduate program, i.e., “business and management”.
n/a
A given graduate program is not ranked until a minimum threshold of graduate student surveys is completed for that program Not sure what they define as “minimum threshold”, but if one respondent can give a university a #2 ranking, then this threshold was not properly calculated to avoid extreme bias (or false voting) created by popularity contests.