Social Engineering - the "Human Factor"
Cyber security isn't just about computer systems and networks. The people who use these technologies are equally important: humans with all their strengths and weaknesses. In social engineering, the attacker exploits the "human factor", which is presumably the weakest link in the security chain, for their criminal purposes.
Technical vulnerabilities are just a fraction of risks posed by surfing the Internet. When cyber criminals are stopped by up-to-date software and operating systems, firewalls and anti-virus scanners, they target users in other ways to persuade them to install malware or share sensitive data.
In much the same manner as con artists who ring the doorbell, cyber criminals on the Internet pretend to have a personal connection to their victims or promise them prizes or benefits. There are many more variants of this tactic, known as social engineering, in use or consideration. Sometimes indirect contact is made through the actual victim's friends.
What is social engineering?
Social engineering takes advantage of human characteristics such as a willingness to help others; trust, fear or respect for authority are even exploited to manipulate people in a very clever way. Cyber criminals thus persuade their victims to share confidential information, go round security functions, send money or install malware on their personal devices or on a computer linked to a company network.
Social engineering is nothing new: it has been the ABCs of the broadest spectrum of scams for as long as there have been people. In an era of digital communications, however, criminals have new and extremely effective opportunities to reach millions of potential victims.
How can I recognise social engineering?
The core characteristic of social engineering attacks is the lie of a false identity and the intent of the perpetrator. For example, the criminal may pose as technician or employee of a company like PayPal or Facebook or a telecommunications company in order to convince the victim to share login data or account information or to go to a prepared website.
The classic example is the supposed system admin who calls the employee because the user's password is needed to resolve a system error or security problem. Another common example are the phishing e-mails that misuse the EU General Data Protection Regulation that took effect in May 2018 to persuade victims to click links to give their consent.
We consider these examples typical in the sense that the perpetrator intends to give the victim the impression of increasing the security of a system or service. Victims who believe this feel they have acted in good faith or done the right thing. Unfortunately, this plays right into to the hands of the perpetrator, who wants to steal access data or infect your system or software with malware. In the worst-case scenario, the malware will allow the criminals to infiltrate an otherwise well protected company network.
Digital communication channels like e-mail are especially attractive targets for social engineering. In a face-to-face situation, con artists must conquer all five senses of their victims. By contrast, digital communications are much easier pickings. In addition, private and professional social networks offer con artists an easy opportunity to gather and link a wide variety of background information about people or employees of a company.
This information can be used to carry out more targeted attacks. It makes it easier to gain the trust of victims by building a relationship to them. For example a con artist might then be able to refer to hobbies, friends or colleagues and subsequently convince victims to do things they are not supposed to do.
Phishing is one of the most well-known forms of social engineering; it literally means fishing for passwords. The idea is to convince victims in a very realistic e-mail to click a link and then enter passwords or other login data on a fake website, allowing attackers to then collect this data.
In addition to mass phishing e-mails, a more targeted variant known as spear-phishing is becoming increasingly common. In these cases, e-mails are tailored to a small group of people or to individuals or employees before being sent out. This significantly increases the potential "hit count".
Under CEO fraud, criminals attempted to manipulate employees at a company who are authorised to take decisions or make payments in such a way as to persuade them to transfer great sums of money, supposedly on behalf of senior management.
How can you protect yourself against social engineering?
Social engineering is used by criminals to take advantage of deep-seated human needs and wants, for example to help others quickly and unbureaucratically, in order to achieve their nefarious goals. This makes it difficult to defend yourself consistently against this type attack.
To reduce the risk social engineering fraud schemes, you should follow the basic rules listed below:
- Use social network responsibly. Decide carefully what personal information you want to share, considering that criminals could collect it and misuse it to try to fool you.
- Do not share any confidential information about your employer or your work on private or professional social networks.
- Never share passwords, access data or account information over the telephone or in e-mails. Remember that banks or other credible companies never ask customers to send confidential information via e-mail or over the telephone.
- Take special care when you receive e-mails from people you don't know: if there is even a hint of doubt or reason for suspicion that an e-mail could be part of an attack, better not to respond at all. If it is a false alarm, the sender will most likely try to contact you via a different channel. Take time for a 3-second security check.
- If an e-mail requests an immediate response, take the time to give the sender a call to be sure that the e-mail is legitimate.
- Short URL:
- https://www.bsi.bund.de/dok/11287460