Social engineering is using interpersonal influences intending to induce certain behaviours in people, for example, to induce them to disclose confidential information, to buy a product or to release funds.
The basic pattern of social engineering can be seen in fake phone calls: The so-called “social engineer” calls employees of a company and pretends to be a technician who needs confidential access data to complete important work. Already in advance, he has collected small scraps of information from publicly available sources or previous telephone calls about procedures, daily office talk and company hierarchy, which help him in interpersonal manipulation to pretend to be an insider of the company.
In addition, he confuses his technically uneducated victim with technical jargon, builds sympathy with small talk about seemingly common colleagues and exploits respect for authority by threatening to disturb his superior if the victim fails to cooperate. The social engineer may have already collected information in advance that a certain employee has actually requested technical assistance and is already expecting such a call. Automated social engineering, also known as scareware, uses special malware programs that frighten the user and are intended to motivate them to take certain actions.
Social engineers spy on their victim’s environment, fake identities, or exploit behaviours such as obedience to authority to obtain classified information or unpaid services. Social engineering is often used to penetrate a foreign computer system to view confidential data; this is also referred to as social hacking. An early form of social engineering was practised with phreaking in the 1980s. Phreakers called phone companies, pretending to be system administrators, and asking for new passwords, which they eventually used to establish free modem connections.
A well-known variant of social engineering is phishing. In this impersonal variant, fake e-mails with a trustworthy presentation are sent to the potential victims. The content of these messages may be, for example, that a certain service you use has a new URL and you should log in to it from now on if you want to use it. This fictitious page is, in layout and presentation, a copy of the original website of the service provider. This should help to lull the victim into safety. If you fall for it, criminals come into possession of the login name and password. Another possibility is that the victim is asked by a supposed administrator to send back the login details in response because there are allegedly technical problems. The basic pattern is similar to the fake phone call, because here, too, the social engineer usually pretends to be a technical employee who needs secret information for data verification or recovery. Unlike there, the attacker usually does not have much more than the recipient’s e-mail address, which makes the attack less personal and therefore less effective.
How to Prevent/Defense Social Engineering
The defence against social engineering is not easy to accomplish, since the attacker exploits positive human qualities: For example, the desire to help unbureaucratically in emergencies or to respond to help with counter help. Stirring up general mistrust would also harm effectiveness and trust cooperation in organizations. The most important contribution to the fight against social engineering is therefore made by the victim himself, who undoubtedly ensures the identity and justification of an addressee before taking further action. Even asking for the name and telephone number of the caller or the condition of a non-existent colleague can unmask poorly informed attackers. Politely asking for patience when a delicate request is presented so urgently should therefore be specifically trained. Even seemingly minor and useless information should not be disclosed to unknown persons, because it could be misused in subsequent contacts to eavesdrop on others or together with much other useless information in itself serve to delineate a larger fact. It is important to warn all potential further victims quickly; The first point of contact is the company’s security department, the contact address of the e-mail provider and fellow human beings and institutions whose information has been misused to pretend false facts. The following points should be noted:
- If the identity of the sender of an e-mail is not sure, you should always be suspicious.
- During calls, even seemingly unimportant data should not be carelessly passed on to strangers, as they can use the information obtained for further attacks.
- When replying to an email request, personal or financial information should under no circumstances be revealed, no matter who the message appears to come from.
- Do not use links from e-mails that require personal data as input. Instead, enter the URL itself in the browser.
- If there is any doubt about the authenticity of the sender, contact him again by phone to check the authenticity of the e-mail.