'Social engineering' is a big part of how criminals steal your money today: it’s a lot smarter and safer than robbing a bank.
The trick is feigned familiarity: a familar style of email, a pretended common friend or anything similar to something you might expect .
The trick can be via email. Or it can be a phone call or even in person (“I'm a friend of X”). All of it relies on the desire of most people to help out those they know, to do the right thing.
Alternately, a predictable “I did’t buy that!” reaction intended to entice the reader to click on a fake link, as the example below shows.
Paypal is a big target for such scams, keeping in mind that it would be unfair to single out PayPal: Google Checkout and every such service, every bank, every stockbroker, every company with a web site can be targeted this way. Usually it’s obvious: you get an email advising you to login an fix XYZ. Except that it’s a company you’ve never done business with.
The foregoing is the tip of the iceberg.
One common email ploy is to send a very real looking invoice for something you allegedly just purchased. No, I have not been buying watches lately.
Some links within the message attempt to fool you by taking you to the authentic PayPal site. But the transaction links and the link to the product description are traps you are intended to click on.
All sorts of evils await—
- It might be a site that exploits a particular browser weakness to compromise your machine and add it to a botnet, or worse.
- It might be a site that looks identical to PayPal. You then enter your username and password, the site collects these things, then your account is emptied soon after (perhaps along with a linked bank account).
- Simply enabling the display of images in emails lets the sender know you are a real live email reader. Disable automatic display of images in Apple Mail.