In our series on identity theft on the Internet, we are now devoting ourselves to social engineering: the attack method in which employees of a company are manipulated into divulging information, clicking on malicious links, or opening infected attachments, because the human factor is often the decisive gateway for many attacks. In today’s post, you will learn how social engineering attacks work, what forms of attack exist, and how you can protect yourself against social engineering attacks.
What Is Social Engineering?
IT security can only ever be as good as the person who uses it – this is an old saying of security specialists. The fact that employees are one of the most critical factors in IT security demonstrates that social engineering attacks are repeatedly successful. Cybercriminals also know that technical protective measures are getting better in numerous companies and institutions – attackers are finding it increasingly difficult to overcome these technological hurdles. It is easier to take the detour via people.
Human components are therefore used in social engineering to obtain relevant data. The process of fraud is essentially always similar: the criminals use different methods to gain the trust of a particular person. This person then opens the door to the data treasure for criminals – for example, login data, including passwords. It can look like this: The criminal approaches an employee by phone, explains that he is from the IT department, and checks the access data.
The employee is told that on instructions from the boss, you need the access data of certain employees – unfortunately, this authority-based approach often works. The unsuspecting employee thinks he is talking to a colleague from the IT department.
Social Engineering: First Collect Information, Then Strike
The fact that almost every person can be found anywhere online makes attacking via social engineering easier because a lot of information can be found in this way. The fraudsters collect information about target persons on social networks such as Facebook. The contacts of the target person can also be found here quite often in public.
This is how the fraudster succeeds in pretending to be someone they trust – for example, by email. Email addresses can be disguised using spoofing so that the actual sender does not have to be visible. The email could now be aimed at enticing you to download a contaminated attachment or click on a link. This hides malware or phishing attacks to find out the login data.
In the example above – an employee gives login data over the phone to an alleged IT employee – the person was unaware of the scope of the data they were passing on. In the second example, the attack was a little more technical. However, both cases have one thing in common: They would not be successful if the respective employees had security awareness.
Social Engineering In Various Forms
As our examples already show, there are different forms of social engineering attacks. In the following, we will introduce you to the most common forms of social engineering attacks:
Social Engineering Is An Email Scam
Proofpoint’s “Human Factor 2019” study showed that email is the preferred vector for attacks via social engineering. In their emails, the attackers try to get their victims to take specific action in the email. Proofpoint explains two different patterns in the study: The victim should open a file or click on a link.
- Simple baits that can easily be identified as fakes are sent over a large area. It is classic spam, in which the attackers hope that there are enough careless or overly curious recipients who take the desired action.
- On the other hand, Elaborate baits are tailored to a tiny target group – sometimes just one person. Counterfeits stick very closely to the original and are challenging to spot.
- The tactics that criminals use to get their victims to take action also differ, according to the Proofpoint study:
- Curiosity: With interesting subject lines like “New Concept,” the criminals want to elicit the victim’s natural interest. The “mail from the lawyer” or “mail from the debt collection office” scam also works in this way.
- Urgency: The content of such an email often creates a sense of urgency in the victim. The sender can pretend to be an IT employee again and urge the victim to open the attached file immediately to apply an urgent patch.
- Trust: Attackers copy emails from trusted brands. For example, attackers can design the email to design prominent online shops and request that the bank details be confirmed via a link. This by no means leads to the actual bank but instead leads to a phishing website that delivers the entered data directly to the fraudster.
To make messages of this kind appear even more authentic, attackers often rely on fake chains. For example, you put “Fwd:” or “RE:” in front of the subject and add unnatural email flows.
CEO Fraud: Social Engineering Against Managing Directors
CEO fraud is also known as the “boss trick”: This method is becoming more and more popular. Fraudsters who use this social engineering scam first collect information about the CEO of a company. Not only are social networks searched, but also employees from various departments in the company.
The fraudsters pretend to be leaders and steal multiple pieces of information from employees. This can be informed of a family or financial nature. This also unintentionally changes the owner of login data. All registers are pulled out on CEO fraud: They rely on a combination of their information acquisition and information that employees give out. The means for this can be emails, letters, calls, or messenger contacts.
Once the attacker has collected enough information, it can be used in various ways: The CEO could be blackmailed by threatening to publish the information. The attackers could also open websites (see next point: Typosquatting) or shops on behalf of the CEO, spreading fake news and thus damaging the company’s reputation.
Typosquatting: Brand Theft In The 21st Century
With Typosquatting, scammers register domains whose URLs are similar to well-known brand names. The fraudsters reproduce the original page in a deceptively accurate manner and then only have to wait to access data using false login masks. Alternatively, they can also redirect employees to sites that are infected with malware.
Angler Phishing – The Supposed Customer Service
The frogfish has a glowing bait on its head. This imitates the prey of the frogfish victims themselves and lures them into the trap. The term “angler phishing” is derived from this: Fraudsters switch themselves into the communication of customers and service. For example, a fraudster could pose as a support employee to redirect conversations to fake accounts in social networks or fake websites. The aim is, therefore, to lure victims to the harmful web presence or to steal information.
Social Engineering: How To Arm Yourself
It’s not easy: Instead of hacking into the technology, the attackers who rely on social engineering hack into the psyche of their victims. It is not the technology but the human being that forms the security gap that enables this attack. This means that no virus scanner will help either – essentially, only one thing helps Awareness. This can be achieved through employee training – knowledge is power, and your employees’ knowledge disempowers attackers. What else can you do? The following tips show:
- Passwords: Rely on substantial and complex passwords, as we explain in our article “Secure passwords: Strong passwords increase security.”
- Healthy Suspicion: Develop a healthy distrust of people asking for information or data. This is even more important in large companies than in smaller, more family-run businesses because it is straightforward for criminals to pass themselves off as employees of another department. However, it would help if you also remained vigilant as a small or medium-sized company because this is where criminals take advantage of the primarily unsuspecting employees.
- Telephone information: Anchoring in your security policy that sensitive data is generally not passed on by telephone. Always have inquiries confirmed in writing, for example, by email. So in the event of damage, you also have something to refer to. Remember: