Social engineering is a catch-all term used in cybersecurity to mean the practice of making you feel like you need to do something that is in the best interest of the social engineer, who is often a criminal.
Great social engineering can make you feel like you urgently need to send someone money, or lull you into a sense of security by convincing you a friend, colleague or professional is asking you a simple question.
Some common tactics are: "What's your account password, so I can check your account for fraud?" or "Can you send your latest tax return so we can finish processing your application?" Social engineers essentially find an emotional hook -- your desire to help, your willingness to not create friction or, in this case, the desire of most journalists to be the first to jump on a good story.
The attackers in this case were quite sophisticated. They created a web and email presence almost indistinguishable from the real thing.
The website created by the spoofers is quite detailed. The only "tell" is a URL that points back to blackrockesg.com rather than the real BlackRock web address -- blackrock.com. Every other link on the spoofed website, including references to Fink's past investor letters, leads back to the real BlackRock website.
The original email purporting to be from Fink was long, detailed and included the corporate-speak so common in real investor letters. The spoofers also anticipated a quick denial, and already had a fake press release prepared that itself took subtle digs at the hedge fund, implying it wouldn't take the suggested pro-environmental stance because it wasn't good for "profitability."
"With climatic threats positioned to destabilize markets at ever greater levels in 2019 and beyond, BlackRock is determined to take a leadership role in building a Paris-compliant economy," the fake letter read. "We will begin this work by divesting from coal companies in our actively managed funds. Within 5 years, more than 90% of our 1000+ investment products will be converted to screen out non-Paris compliant companies such as coal, oil, and gas, which we see as declining and endangered."
It was not immediately clear who was hosting the spoofed website, and BlackRock could not be reached for comment on whether they were working to have the site removed.
WATCH: Marriott data breach was four years in the making, say experts