All of a sudden, an email pops up in your inbox. It appears to be sent by a bank or the corporate IT department. In alarming tones, it informs you of irregularities that have arisen with your user account. It goes on to explain how you must immediately enter your login details on a site that is conveniently attached to the email in order to avert a catastrophe. Under such circumstances, it’s not always easy to stop for a moment and consider whether the email and sender are genuine or whether a social engineering attack may be underway. But what is social engineering? Which attack vectors are particularly successful? And how can companies protect themselves?
Social engineering attacks come in all forms. However, the one thing they have in common is that they typically exploit human behaviour and emotions such as fear or respect for authority. The goal is to gain the trust of victims and to apply psychological pressure to induce them to disclose data or carry out actions from which the attackers stand to profit. This may involve asking the victim under false pretences for the login details for their bank account. Another approach is to pretend to be a colleague from the IT department who is offering assistance that also requires the disclosure of confidential access data. The emails and pages to which the addressees are directed appear genuine at first glance – and that’s all it takes for cybercriminals to take control of your assets or slip malware such as ransomware unnoticed onto the corporate system. These are just two examples of how social engineering attacks can take place. With this type of cybercrime, there is no limit to the hackers’ ingenuity. In some cases, the criminals are so clever that they can even fool IT professionals.
Phishing leads the way in social engineering
The most widely used attack vector in the context of social engineering is phishing, which can take several forms:
When sending phishing emails, hackers are not usually targeting specific users. This means that they generally send out emails en masse, which appear to come from genuine senders such as webshops, financial service providers, system administrators or even friends. Cunning psychological manipulation combined with subject lines that ‘scream’ urgency aims to induce recipients to disclose passwords and account data for different systems. In many cases, these systems are extremely well-protected in technological terms. As a result, attackers must rely on human carelessness as a means of gaining access. Sometimes the recipients are also requested to click on specific links. Once they gain access, hackers will do things like infecting the system with malware and encrypting and/or stealing data.
In the case of spear phishing, cyber attackers take a more targeted approach that involves sending emails to a smaller target group. In order to formulate emails for a specific target group, the addressees are chosen and researched in advance. This can be done by harvesting information about the addressees or the targeted organization from social or business networks. For this reason, spear-phishing attacks that form part of the personalised tactics promise a higher success rate. One variant is referred to as CEO fraud. For this type of attack, the perpetrators address decision-makers or people authorised to make payment transactions. In order to apply psychological pressure, the alleged sender poses as a superior who instructs the victim to transfer a sum of money without delay.
The personalised tactics include what is referred to as ‘whaling’. This is where the hackers target high-ranking executives – or ‘big beasts’ – hence the name ‘whaling’. As with the other phishing attacks, the goal here is to obtain confidential data or money by devious means. For example, the hackers pose as decision-makers from a business partner requesting the transfer of a large sum in order to conclude a business transaction. However, the specified account belongs to the criminals, who stand to gain large sums.
When the vulnerabilities are human
Social engineering attacks are aimed first and foremost at the human security loophole rather than at technological vulnerabilities. When it comes to closing the human security loophole, companies can take a variety of actions:
- Regular cybersecurity training courses to raise staff awareness of the threat posed by social engineering. Especially for newly hired employees, this type of training should be mandatory. It should teach all employees how to recognise even the most skilfully drafted phishing emails and when it is appropriate to be sceptical of supposedly known recipients.
- Employees should ideally be able to read up on what to look out for if they receive requests for sensitive data.
- A reporting process that instructs employees what to do if they receive dubious-looking emails or even in case of a successful phishing attempt also helps to reduce the risk.
The fatal consequences of social engineering attacks
Social engineering is particularly dangerous because it enables even the most sophisticated cybersecurity measures to be undermined by a careless act by just one employee at a decisive moment.
The consequences can be lethal for any company. For instance, attackers can steal valuable data such as sensitive customer information or business secrets. They can then threaten to publish the stolen data unless a substantial sum of money is handed over. Cybercriminals can also smuggle in hazardous malware undetected, which can then block access to files or take entire systems offline. This can lead not only to financial losses resulting from business interruptions. Once the theft of customer data becomes known, the company is also exposed to possible reputational damage. Therefore, it is advisable for every company to address the issue of social engineering threats and to raise awareness of the risks among employees across all hierarchies – ultimately, they are the ones in the firing line of such cyberattacks.