Countering Social Engineering, Phishing, and Scams

Social engineering is the art of manipulating people into giving up confidential information or performing actions that compromise their security. Unlike technical hacking, which attacks software vulnerabilities, social engineering attacks the "human element." For Iranian users, this threat is amplified by state-sponsored surveillance campaigns, economic instability, and the widespread use of circumvention tools (VPNs).

This guide covers common tactics, specific scams targeting Iranian citizens, and practical defense strategies.

---

1. Understanding Social Engineering

Attackers use psychological manipulation—fear, urgency, curiosity, or helpfulness—to trick you.

Common Tactics

• Phishing: Sending fraudulent emails or messages (SMS/Smishing) that appear to come from a reputable source (e.g., banks, government) to steal sensitive data.
• Pretexting: Creating a fabricated scenario (a "pretext") to obtain information.
• Baiting: Offering something enticing to extract information or infect a device.
• Quid Pro Quo: Offering a service in exchange for information. Example: "I can fix your computer/internet if you give me your password."

---

2. High-Risk Scams in the Iranian Context

Iranian users face unique threats due to local platforms, economic conditions, and state surveillance.

A. Judiciary and Government SMS Scams (The "Sana" & "Thana" Systems)

One of the most widespread phishing campaigns in Iran involves fake SMS notifications.

• ** The Hook:** You receive an SMS claiming a legal complaint has been filed against you, a warrant has been issued, or you need to view a court summons on the "Sana" system.
• ** The Trap:** The SMS contains a link to a fake website mimicking the official Judiciary (ADLIRAN) site.
• ** The Attack:** The site asks for your National ID and mobile number, then requests a small payment (e.g., 20,000 Tomans) to view the "complaint."
• ** The Damage:** Entering your card details steals your banking info. Often, the site also prompts you to download an app (malware) to "view the file," which then steals your contacts and SMS messages to spread the scam further.
• ** Defense:**
  • Official notifications usually come from numbers like ADLIRAN or Police, not personal mobile numbers (09xxxxxxxxx).
  • Never click links in SMS for legal matters. Go directly to the official portal (adliran.ir) manually.

B. Subsidy (Yaraneh) and "Sejam" Scams

Scammers exploit economic anxiety by sending messages about cash subsidies (Yaraneh) or Justice Shares (Saham-e Edalat).

• The Scam: "Your subsidy has been disconnected. Register here to restore it" or "Collect your Justice Share dividend here."
• The Trap: Links lead to phishing pages designed to steal banking credentials or install spyware.

C. Fake VPNs and Circumvention Tools

Because Iranian users rely on VPNs to access the internet, attackers (including state-sponsored groups like fake "20Speed VPN" or "Psiphon" clones) distribute malware-laced VPN apps.

• Risk: These apps may bypass censorship but also log your keystrokes, steal files, or take screenshots.
• Defense: Only download VPNs from trusted sources (official websites, GitHub, Google Play/App Store) or via trusted distribution channels (e.g., getting bridges from official bots). Avoid "cracked" or "modded" VPNs sent in Telegram channels.

D. SIM Swapping (MCI, Irancell, Rightel)

Attackers trick mobile carrier support into transferring your phone number to a new SIM card they control.

• Consequences: They receive your SMS 2FA codes, allowing them to hack your Telegram, Instagram, and bank accounts.
• Defense:
  • Set a PIN: Contact your carrier to set a PIN/password for your account that is required for any SIM changes.
  • Use App-Based 2FA: Switch from SMS 2FA to apps like Google Authenticator or Raaz (if secure/offline) wherever possible.

---

3. Platform-Specific Scams

WhatsApp & Telegram

• "Mom/Dad, I lost my phone": Scammers pose as a child using a "borrowed" phone, claiming an emergency and asking for money. Verify by calling the old number or asking a personal question.
• Verification Code Hijacking: "I sent a code to your phone by mistake, please send it back." Never share the 6-digit verification code with anyone.
• Fake "Saved Messages" Bots: Telegram bots that promise to "save" your files but actually harvest your data.

Signal

• Fake Support: You may receive messages from accounts claiming to be "Signal Support" asking for your PIN or verification code. Signal will never ask for this via message.

Google Calendar Spam

• The Scam: Spammers send calendar invites that automatically populate your schedule with events containing phishing links (e.g., "You won an iPhone").
• Defense: Go to Google Calendar Settings > Event Settings > "Automatically add invitations" > Select "No, only show invitations to which I have responded."

Online Shopping

• Fake E-namad: fraudulent sites may display a fake "E-namad" (electronic trust symbol). Click the symbol to verify it actually links to the official enamad.ir domain and matches the shop's details.
• Price Gouging/Fake Goods: Be wary of prices that are significantly lower than the market rate, especially on Instagram shops or unknown websites.

---

4. AI-Enhanced Scams

Artificial Intelligence is making scams harder to detect.

• Deepfake Voice/Video: Attackers can clone the voice of a family member from a short audio clip (often taken from social media) to call you in distress, begging for money.
• Defense: Establish a Family Safe Word. If a family member calls in an emergency asking for money, ask for the safe word.
• AI Chatbots: Romance scammers and fake support agents now use AI to write fluent, convincing messages in Persian or English, avoiding the grammatical errors that used to be red flags.

---

5. Detection and Prevention Checklist

How to Spot a Scam

1. Check the URL: Look for misspellings (e.g., adliran-gov.com instead of adliran.ir). Use tools like URLCheck or VirusTotal to scan links before clicking.
2. Verify the Sender: If you get an email/SMS from a service, open the official app or website directly instead of clicking the link.
3. Analyze the Urgency: Scammers want you to act fast ("Your account will be deleted in 1 hour"). Pause and think.
4. Inspect Files: Be wary of double extensions (e.g., invoice.pdf.exe). Enable "Show file extensions" in your OS settings.

Hardening Your Defenses

• Enable Two-Factor Authentication (2FA): Use an authenticator app (Google Auth, Authy, etc.) or a hardware key (YubiKey). Avoid SMS 2FA if possible.
• Privacy Settings: Lock down your social media. If your voice and video are public, they can be used to train AI for deepfakes.
• Browser Security: Install uBlock Origin to block malicious ads and pop-ups.
• Device Hygiene: Keep your OS and apps updated. Restart your phone weekly to disrupt non-persistent malware.

---

6. Incident Response: What if you clicked?

1. Disconnect: Turn off Wi-Fi and mobile data immediately to stop data theft.
2. Change Credentials: From a different, clean device, change your passwords for critical accounts (email, banking, social media).
3. Revoke Sessions: Go to the security settings of your apps (Telegram, WhatsApp, Google) and "Log out of all other sessions."
4. Scan for Malware: Run a scan with a reputable antivirus. On mobile, check for unknown apps that may have administrative privileges.
5. Contact Banks: If you entered financial info, freeze your cards immediately.

Related Resources

• [[Malware_and_Social_Engineering_Fundamentals]]
• [[Mobile_Security_Spyware_and_Advanced_Protections]]
• [[Identity_and_Access_Management]]