It used to be known as the ”grandmother trick”: con artists would trick elderly people into believing that they were their grandchildren, only to relieve their victims of their savings. These days, the same system is used online: many people willingly disclose information about their personality, emotional life, professional situation or financial status on the Internet. For cybercriminals, it’s a meal ticket. That’s because this knowledge makes it easy for them to gain the trust of potential victims – and then get them to simply hand over confidential login data or transfer large sums of money.
Originally, the term ”social engineering” had a positive connotation. It was first used in 1945 by the philosopher Karl Popper in his work “The Open Society and its Enemies”, in which he advocated initiating positive developments in society through targeted influencing. Today, in the digital age, the term has a distinctly negative implication. This is because it represents highly effective methods of blackmailing not only private individuals, but also small companies and large, international corporations, sometimes causing damage that threatens their very existence.
The cybercriminals say it themselves: technical security measures such as firewalls and virus scanners or authentication technologies such as two-factor authentication (2FA) or multi-factor authentication (MFA) are making it increasingly difficult for them to penetrate well-protected corporate networks and get their hands on valuable data. Many systems already allow secure password-free login using biometric data such as facial recognition or fingerprints. Authentication via social login or password management systems is also proving to be an effective safeguard against cyberattacks.
The weak point in the system, however, still remains the users themselves – their willingness to help quickly and with a minimum of bureaucracy, their gullibility, their recklessness and sometimes even their greed to make some supposedly quick money. That’s why this is precisely the area that cybercriminals are targeting when they try to gain the trust of users in various ways – until they ”unintentionally willingly” grant them access to their own accounts or to entire corporate networks.
Social engineering relies on predictable human behaviour patterns
Human thinking and behaviour is predictable. According to psychologists Myles Jordan and Heather Goudey, online scammers target certain human characteristics such as inexperience, curiosity, the desire for wealth or love. This is where cybercriminals find easy points of contact: for example, lonely men who would do anything for their online love in a distant country – right up to financial bankruptcy. Even companies are at risk, for instance, if criminals pretend to be IT administrators on the phone and are willingly given passwords by ”helpful” employees. So, you could say that cybercriminals ruthlessly exploit the emotional weaknesses of their fellow human beings using social engineering.
Do you know Robin Sage?
Whether it's Facebook, Instagram, LinkedIn or Xing: anyone with a social media account knows the story. Unknown young women suddenly want to make contact – often with very explicit offers. In reality, however, this is merely an attempt to pry into someone’s personal profile and contact list in order to gather information. Anyone who is too open with their data could soon end up the victim of cybercriminals. The fictional character ”Robin Sage”, created by two IT security specialists Robyn Casey and Thomas Ryan in 2009, demonstrated how the system works. Robin Sage was an attractive young woman who never actually existed. Online, however, hordes of admirers all over the world poured out their hearts to her, recklessly revealing even the most personal details. It showed how easy it is to manipulate people by appealing to their most basic longings and dreams.
“Your account has been blocked!” – playing on people’s fears
Even if corporate networks are optimally secured, cybercriminals like to contact users directly in order to obtain critical data. They do so, for example, by sending e-mails imitating the corporate design of large companies to varying degrees of perfection in order to entice people to reveal their login data. As a result, the scammers either penetrate the corporate network in question or exploit the user’s data to access other networks and install malware unnoticed. This can be what is known as ransomware, which encrypts and paralyses all the company’s data. Companies targeted in this way are then usually forced to pay huge sums in cryptocurrencies to unlock their data again.
Social engineering – the variants
Pretexting: Hackers start by researching their victim’s private life in order to gain his or her trust. They then contact the addressee, for example, claiming to be IT administrators, with a call for help, in order to obtain confidential data, supposedly on behalf of the management.
Diversion theft: Logistics companies are tricked into redirecting deliveries to another address.
Water-holing: Attackers collect information about which websites users visit most frequently and then test them for vulnerabilities.
Baiting: Here, the user is lured to ”take the bait” in the form of a fake message from friends, a sensational video message, an email attachment or a USB stick containing malware. As soon as the user opens the malicious file, it infects his or her system and enables the hackers to gain unauthorised access to confidential data – up to and including compromising entire corporate networks.
Quid pro quo: A ”give and take” of the more insidious kind. For example, fraudsters call employees of a company and pretend to be from IT support. They ask them to briefly disable their anti-virus protection or firewall for a project. This gives the cybercriminals free rein to install malware or ransomware on the unprotected computers.
Tailgating: A form of social engineering used to gain access to protected areas, such as a building, by enlisting the help of authorised persons.
Rogue security software: Social engineers suggest to the user that their computer has been infected with a virus. The aim is to make the user nervous and get him to buy alleged ”security software”. However, this software is used to install malware on their computer.
How can social engineering attacks be prevented?
Advanced authentication methods such as two-factor authentication or multi-factor authentication as well as forsaking passwords in favour of biometric authentication factors (face scan, fingerprint, iris scan, voice recognition, etc.) already pose hurdles that cybercriminals find extremely difficult to overcome. Instead, they exploit the carelessness, gullibility or helpfulness of their fellow human beings. For this reason, it is important to establish a high standard of security through a series of rules of conduct for dealing with devices, the Internet, private or corporate networks, user accounts and in communication.
Humans will always remain a weak point in digital networks. However, a lot can be gained in terms of security by implementing the following simple measures:
- Raising awareness of the dangers of social engineering and cybercrime through training
- Practising safe behaviours and training regularly
- Never opening unknown e-mail attachments without checking them
- Never using unauthorised devices (e.g. in the home office or when travelling)
- Never installing unknown software
- Verifying that callers (e.g. IT support) are actually authorised to give you instructions