“Social Engineering” a.k.a. Phishing

By: Sonny Zulhuda

Yay! I opened my Inbox this morning and I just won another LOTTERY I never participated in! Feeling lucky don’t you? This is what I just received:





We are pleased to inform you of your Email Success in our Computer Balloting made today for winners from the AUSTRALIAN LOTTERY EMAIL AWARD, as part of our Promotional Draws held this month.

This is a Scientific Computer Game in which your Email Address was used. It is a Promotional Program by AUSTRALIAN LOTTERY EMAIL AWARD.It is a Promotional Program that chooses emails world wide to encourage Internet users; therefore you do not require buying Ticket to enter for it. This is an Email Internet Program were winners are randomly selected from all over the world through Computer Draw System and extracted from over 800,000 Email Addresses from Unions, Association and Corporate Bodies listed online.

Below are your Winning Details:
Reference No: 575061725
Batch No: 056490902/188
Ticket No: 07-42-97-66-11-00
Winning Number No: ILP/HW46704/08

Wow. You don’t think I would rush checking for the accuracy or genuineness of this award right? Of course not, because for one simple reason, this kind of message could not deserve even a curiosity let alone excitement. This is obviously a phishing message which is a gateway to identity theft.

Just check out what the message has to say further:

To claim your winning prize, you are to fill and send the form above to your regional claims agent via:

C/O: Mr.Philips Mckiff.
E-mail: mrkif96@live.com


[1] FULL NAMES………………….
[2] ADDRESS…………………….
[4] SEX………………………..
[5] DATE OF BIRTH……………….
[6] NATIONALITY…………………
[8] OCCUPATION………………….
[9] MOBILE PHONE #………………
[10] WINNING NUMBER……………..

Please, remember to quote your Reference and Batch Numbers provided above in every one of your correspondences with our claims department.

You’re right, Identity swipers!

I remember wrote this before, that Identity theft is more felt than understood: One day your Inbox is visited by a stranger who claimed to be the heir of a dead billionaire from Country-you-never-knew-exists who was looking for business partners outside the country. On another, you could not believe your eyes when reading an e-mail purportedly informing you that you just won five million dollars from a lottery. Meanwhile you just got a simultaneous e-mail from your bank asking you to update your e-banking data by accessing certain website linked from that e-mail.

This is, simply put, an identity theft in making. They are everywhere preying you and utilizing any slight chance that you might be buying their stories. My short advise is, of course, ignore them – as they would start alluring you until you surrender the valuable data that they want through various manners of social engineering.

This identity theft is indeed among the biggest security threats cited by many international computer security companies such as Sophos. Meanwhile Symantec also revealed that during the 2nd half of 2007, there was a total of 207,547 unique phishing messages (equal to an average of 1,134 phishing messages per day).  Equal to: 47 messages per hour, or 1 message every 75 seconds!

But, while it is easy to give this advise, in practice people are still getting caught with the lure of these people. Stories about people loosing their saving or having their credit card misused for transactions they never did or those whose data are used for faking documents, are already becoming running headlines in many places in the world. One Professor from University of Malaya was quoted to find that at least, 0.005% of the targets would get hooked by this allurement – or phishers. This is ranging from e-mail phishing to web-defacing, and from abused social networking to computer hacking.

The method used in alluring people is called “social engineering” method. This is where the writer (Yes, the swipe/stealer) created an emotional sense of urgency, emergency, curiosity, sympathy, or even excitement to on the reader’s side. With these emotional feeling, the reader could easily be swayed and led to the deception. The phishers would subsequently attempts to fraudulently retrieve legitimate users’ confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organization in an automated fashion.

Throughout my observation (at least of those in my Inbox) the following are among the most popular social engineering methods used by the identity phishers:

  • Winning a prize, lottery, gift, year-end bonus, etc.;
  • Business opportunities, investment, joint capital venture;
  • Romantic engagement, date, social relationship;
  • Security alert, password change, non-active online account;
  • Administrative works, database upgrading, status update;
  • Emergency nature, lost and found, criminal victims;
  • Personal problems, health, sex drugs, etc.

What can I say now? It’s all cheat. full stop.


  1. Thanks Sonny for presenting the scenario of “Social Engineering” i.e. “Identity Theft” in a nicely drafted format. I also receive such provoking mails to participate immediately, without judging the dangerous consequences behind it. This urged me to research a security service in order to secure my personal account details completely. While doing this research, I came across with one such security service provider TeleSign INC which offers powerful tools such as Telephone Verification, Two-Factor Authentication, and PhoneID authentication. I would suggest to please visit http://www.telesign.com/products-demos/ to get an overview of their services. I am sure TeleSign INC won’t let your trust shattered and will again prove themselves as a global leader in phone-based authentication and verification services with coverage in more than 200 countries and 50 languages.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s