Social Engineering - How you can protect yourself against it
Author
Hannes HartungAccording to studies, more than 70 per cent of all cyberattacks do not primarily target hardware or software but rather attempt to obtain sensitive information through targeted manipulation of humans to carry out further attacks.1 This is because it is more difficult to compromise well-protected servers externally than to enlist employees' conscious or unconscious assistance.
The objectives of the attackers are usually:
- Industrial espionage
- Damage to image or reputation
- Identity theft
- Blackmail
- Access to other data structures.
Even though exact methods are not always known, since criminal experts usually do not publish their techniques, there are still various manipulation tactics that we are aware of that are used. In most cases, social engineering attacks try to exploit people's emotions, attempting to artificially evoke feelings of fear, joy, happiness or contentment.
Through the feigned urgency of the supposed request, coupled with the limited time to act, the victim is put under pressure and forced into making a rash decision.
Phishing and Spear Phishing
We are all familiar with the poorly created phishing emails with spelling mistakes and with impersonal greetings. Unfortunately, the present situation is that these kinds of attacks are developing and will continue to do so in the future. Through more individualised spear phishing attacks, criminals attempt to trigger specific actions from victims or obtain sensitive information. Through prior research, custom attacks are carried out that are much more realistic than the en masse phishing campaigns we are familiar with. At the same time, such attacks are no longer just carried out by cunning individuals alone. As the last wave of the EMOTET Trojan has shown, malware is becoming increasingly intelligent. Let’s engage in a thought experiment. Through social networks and other publicly accessible sources, I can find out a great deal of information about both companies and individuals. Using this information, I can prepare a targeted spear phishing attack that cannot be easily detected. In the meantime, however, malware is able to evaluate information and use it for automated attacks. This development is worrying and will concern us more and more in the coming years.
Voice Phishing, Shoulder Surfing & Co.
Aside from the common email phishing scam, other tactics are becoming more and more sophisticated and professional. In the future, we will not only see attacks exclusively via email.
Social networks and team communication tools of the remote work age, such as Microsoft Teams and Slack or video conferencing software, are increasingly becoming the focus of criminals. I still recall my last long train journey by ICE from Hamburg to Leipzig in 2019. In the compartment sat a middle manager of a German DAX company who held a meeting on strategic directions and budget planning for all to hear. Without reaching into the social engineering bag of tricks, I was involuntarily fed sensitive company information. The introduction of strict policies and awareness-raising measures could easily prevent such a meeting from taking place, one which can have potentially very damaging consequences. A further measure would be introducing a privacy screen that protects against glances from the person sitting on either side.
Furthermore, with the spread of the Corona pandemic, we are also seeing an increase in cases of voice phishing on employees working from home. This involves the person receiving a series of fake calls. A typical example is a call from the IT department who need to configure the VPN access correctly to protect the person while they work from home. They then try to get the person to give access data over the phone or to enter it on a fake VPN portal. Again, the manipulation tactics mentioned above are used, and this type of attack can be prevented relatively easily with the protective measures below.
How can companies protect themselves?
Protection for companies is possible in many ways. Unfortunately, in practice, measures are often only taken after a successful attack has taken place. Even though the follow-up and evaluation of attacks are very important, preventive measures must be taken to reduce an attack's probability of success. For one thing, clear communication channels must be established and the value of information classified. All employees should know (even in their sleep) what kind of information may be released to which groups of people. Only in this way can the security of action be consolidated and the level of protection increased.
On the other hand, persons must be able to recognise and classify threats. This is achieved through effective education measures and training. The more often people are confronted with situations through examples or exercises, the more confident they become in dealing with them. But individuals can also protect themselves significantly through the following measures. This is because social engineering attacks thrive on the information that the criminals can gather about the victim in advance. Data economy is not only a principle from current data protection regulations but also a principle for our everyday digital life. Only disclose as much information on social networks that is absolutely necessary and be particularly cautious when receiving invitations from unknown persons.
1Statista. (2019, 25th March). Umfrage zu den Vorfällen von Cybercrime in Unternehmen weltweit 2017. de.statista.com/statistik/daten/studie/499324/umfrage/vorfaelle-von-cybercrime-in-unternehmen-weltweit/