Cyber security is not just about computer systems and networks. The users of these technologies are at least as necessary: people with all their strengths and weaknesses. In social engineering, the perpetrator exploits the “human factor” as the supposedly weakest link in the security chain to achieve his criminal intentions. Technical security gaps represent only part of the risks when surfing the Internet. Where cybercriminals cannot make any progress thanks to the latest software and systems, firewalls, and virus scanners, they try to persuade users to install malware or release sensitive data in other ways. Compared to the scam at the front door, cyber criminals on the Internet also pretend to have a personal relationship with the victim or make promises of prizes. Many other variants of this procedure, known as social engineering, are conceivable and are used. In some cases, indirect contact is also chosen via friends of the actual victim.
What Is Social Engineering?
In social engineering, human characteristics such as helpfulness, trust, fear, or respect for authority are exploited to manipulate people skillfully. In this way, cybercriminals trick the victim into disclosing confidential information, overriding security functions, making transfers, or installing malware on a remote device or a computer in the company network. Social engineering is nothing new and has served as the basis for many scams for as long as anyone can remember. However, in the age of digital communications, there are highly effective new ways for criminals to reach millions of potential victims.
How Do We Recognize Social Engineering?
The central feature of social engineering attacks is the deception of the perpetrator’s identity and intent. For example, they pretend to be technicians or employees of a company such as PayPal, Facebook, or a telecommunications company to trick the victim into divulging login or account information or visiting a prepared website. A classic example is posing as a system administrator calling the employee who allegedly needs the user’s password to fix a system error or security issue. Another current example is phishing emails, which exploit the changeover to the General Data Protection Regulation in May 2018 to trick victims into clicking on bogus confirmation links. These examples are also typical in that the perpetrators pretend to increase the security of a system or service. A victim who falls for the deception is acting in good faith that they are doing the right thing.
It plays into the real motive of the perpetrator to steal access data or inject malware that, in the worst case, can serve as a gateway for an attacker to penetrate an otherwise well-protected company network. Communication via digital channels such as email offers a favorable social engineering environment. While the perpetrator has to deceive his counterpart in a real conversation using all senses, he has it much easier in technically mediated communication. In addition, private and professional social networks offer the perpetrator a simple opportunity to collect a large amount of background information about people or employees of a company in the run-up to the attack and, if necessary, to link it. This information can be used to target attacks better. They can also make it easier for the perpetrator to build a confidential relationship with his victim – for example, by referring to hobbies, friends, or colleagues – and then tempt him more easily into improper actions.
This Is The Most Well-Known Form Of Social Engineering Phishing
Fishing for passwords. Emails, which often appear very real, are intended to get people to click on a link and enter passwords or login information on the target page, which is also fake and can then be intercepted by the attacker. In addition to the mass sending of phishing emails, a more targeted variant of this method, spear phishing, can increasingly be observed. In this case, the emails are specially tailored to small groups, individuals, or employees after prior research, which significantly increases the potential “hit rate.” Finally, in the case of CEO fraud (CEO fraud), criminal perpetrators, decision-makers, or those authorized to carry out payment transactions attempt to manipulate employees in companies to manipulate them in such a way that they allegedly arrange for large sums of money to be transferred on behalf of top management.
How Can You Protect Yourself Against Social Engineering?
In social engineering, perpetrators exploit deep-seated human dispositions and the need to achieve their criminal goals – such as the desire to help others quickly and bureaucratically. This makes it difficult to protect against this form of attack reliably. In any case, to reduce the risk of social engineering scams, the following basic rules should be observed:
- Use social networks responsibly. Be careful what personal information you disclose there, as criminals can use it to attempt deception.
- Do not disclose confidential information about your employer and work on personal and professional social networks.
- Never share passwords, login credentials, or account information over the phone or email. Banks and reputable companies never ask customers for confidential information by email or telephone.
- Be particularly careful with emails from unknown senders. If there is even the slightest suspicion that an attempted attack may be involved, it is better not to react if in doubt. If it’s a false alarm, a sender may still get back to you through another channel. Take your time for the 3-second security check.
- If a reaction is necessary, make sure the email is legitimate by calling the sender.