What is Socially Engineered Malware? Precautions to take.

This post takes a look at the definition & examples of Socially Engineered Malware or SEM and the tactics employed by fraudsters to push malware. It also lists some basic precautions web surfers should take.

Socially Engineered Malware

Social Engineering

Socially engineered malware falls into the bracket of social engineering. The term Social Engineering refers to the method of creating traps for regular Internet users who start trusting the hackers and provide them with the information they want. It is, in short, an act of psychological manipulation and its usage has caught on among malware pushers, and its use to distribute malware to consumers and enterprises has been browsing steadily.

Social engineering started as a tool to get the inside information of business houses and went on to become the most (mis)used tool on the Internet. These days, hackers (social engineers, as they are called) use different methods to gain the trust of the normal users. Once they gain the trust, they can get the user to do exactly what they want and thus get the information they need.

Socially Engineered Malware

Socially engineered malware – Meaning & Definition

Socially engineered malware works on the same foundation. Social engineers will send you links, attachments or just an image (as it happened in ObamaCare). If you click on the links, images or download email attachments, you will download malware to your computer. This malware will then collect and send all your information to the pre-configured IP address.

In today’s context, one can also refer to it as Phishing, but phishing is a bit different that it does not make much emphasis on making sure the users click the bait. It is more like throwing bait into open and hoping that someone will take it. SEM is more focused.

The social engineers send you an email in a way that you start trusting it enough to click the link in email or download the attachment with the mail. It is always better to use an email client and set its security to maximum. That way, not only you stop getting junk, but most social engineering attempts will also go to junk folders of the email client. When you set the security to maximum, there is a good chance that an expected email can also to be classified as junk, so you need to keep checking your junk or spam folders regularly.

Read: Popular methods of Social Engineering.

Precautions to take to protect yourself from socially engineered attacks

Use a good Email services provider & an Email Client

As mentioned, using an email client is a good defense against social engineering, as it transfers phishing attempts to junk or spam folders.

Use a good secure web browser

A good browser will just not open the bad links. Internet Explorer blocks 99% of malware. The SmartScreen filter in Internet Explorer continues to offer industry leading protection against socially engineered malware. The SmartScreen Filter in Internet Explorer will also stop Drive-By-Downloads. Chrome is also pretty effective.

Use a good security software

A security software that has a good spam protection can be of great help in blocking spam mail as well as preventing opening of malicious web pages.

Be Alert

Education against social engineering is important. If a user knows about social engineering and phishing attempts, he or she will not fall prey to it. If not, even the best defense would fail.

For example, if you get an email from a certain company, you should look at the senders email ID first, before clicking anywhere in the mail body. Never download or click on attachments, until you make sure it is a legitimate email.

Never click on offered links to update your personal, financial or login information. It is better to enter the URL manually, and then login. You often receive emails from Paypal that, instead of Paypal, are sent by lookalike email IDs. You will know when you look at the email ID. The domain should be Paypal.com and not something like abc@paypal.something.com. In the latter case, the email domain is not PayPal but something.com.

You simply need to be on your guard when an email from an unknown source arrives.

Read: How to sign in securely to PayPal.

Social engineering attempts also come disguised as offers. But use the above-mentioned method – never ever use a URL to update or provide your information. Launch the browser and then enter the URL via a bookmark or manual typing.

In some cases, people compromise your friends’ email ID and use it to send you socially engineered emails – Email Spoofing. When we say ‘Socially engineered email’, they are email crafted to appeal to you. They may not contain links, but they will ask directly about your bank information so that they can get some help. For example, if you get an email from your friend saying he or she is stranded somewhere and needs some money, it is always better to give them a call rather than replying to such emails and falling prey.

This posts does not define socially engineered malware in a comprehensive way, as there are several other methods being used by criminals. The methods keep on evolving. I have just tried to touch upon the subject.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

One Comment

  1. Dan

    I agree that IE11 and Chrome are pretty good insofar as phishing protection; and if you use GMail, even if an email has all the sender identification of a real company but there’s a Google banner at top warning they haven’t been able to verify it came from that sender so “be careful!”, go ahead and delete it no matter how captivating it might sound.

    A couple of months ago I started getting unsolicited inquiries of my availability from for what all possible purposes appeared to be from a USA east coast well-regarded tech recruiting firm; they kept sending but each one had a Google “be careful!” warning; they never wanted more personal info than they claimed they got from online resume postings they’d found, instead just wanting to know if you’re interested and is pay adequate; they said they’d attempt to arrange an interview with their local client, but then you’d not hear for a week or two; in that time, I’d start to get calls (from people with same foreign accent as the “recruiters”) alleging to be everything from the IRS with warrants to Wells Fargo bank, callers saying they’d tracked me via my contacts with the “recruiters”; I’d offer to patch them through to my regional IRS/FBI or attorney, and I guess their connections dropped. Around the holidays, I got some more emails asking if my “candidature” was still available; intrigued by this new business English from a USA tech firm, I said I’d like to discuss further but would need to fly at my own expense to their east coast offices, could they please give me a name and suite number as well as appointment; since then not a peep back. Another thing…they never mentioned their client’s identity.

    Again, IE 11 and Chrome are pretty good browser defense to phishing as you surf, and GMail is pretty fair defense to modern con artists getting very slick at sifting social media for artful email schemes with more aggressive phishers. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *

9 + 3 =