Social engineering

Social engineering refers to interpersonal manipulation used by cyber criminals to gain access to other people’s computer systems and sensitive data. The term comes from the English word “social”, which translates as “interpersonal”, and “engineering”, which literally means “construction”. It is therefore a deliberate construction of an interpersonal relationship.

What does that mean in detail?

The principle of social engineering is not new. In everyday life, it is known by terms such as “fraud” and “conning”. Digital media opens up new opportunities for criminals:

• Cyber criminals can use digital media such as company websites, blogs, Facebook pages etc. to gather detailed information about a company. They can use this to credibly present themselves as
• employees, administrators or even managers (see CEO fraud) of this company.
• Cyber criminals can use social media to establish targeted contacts, e.g. with executives, under a false identity. In the context of a supposed friendship or romance, they try to persuade the targeted person to disclose sensitive company information.

Social engineering often exploits human strengths for criminal purposes. Indispensable qualities such as helpfulness, trust and respect for authority are deliberately abused.

• For example, cyber criminals claim to be friends of friends to whom the target person has been recommended as a contact person. For example, to proofread an application. However, the digital document with the alleged application contains malware such as Trojans, ransomware or keyloggers.
• Or cyber criminals pretend to be superiors under time pressure who, for example, order the transfer of a large sum of money to a specific account.

Fear is used for social engineering. Due to its strong emotional effect, fear reduces the ability to think critically. This facilitates the manipulation sought by cyber criminals.

• In CEO fraud, for example, negative professional consequences are threatened if the alleged instructions are not implemented.
• In blackmail attempts, cyber criminals claim to be in possession of sensitive data of the person under attack, e.g. photos or videos of sexual acts. Once the blackmailers’ conditions have been met, this data is destroyed, otherwise it is published.
• Following a similar pattern, cyber criminals pretend to be police officers and demand a fine for alleged offenses such as illegal downloads.

Long-term social engineering attacks on strategically important employees are particularly relevant for companies. This may involve, for example, a supposed private contact in which increasingly sensitive company information is disclosed. If the person under attack becomes suspicious or loses interest, blackmail may follow based on information or confidential data that has already been disclosed.

Where do I come across this issue in my day-to-day work?

Theoretically, you will always encounter situations where you cannot confirm the identity of the person you are talking to beyond doubt – whether on the phone, by e-mail or in private messages.

What can I do to improve my safety?

• In principle: Use your tried and tested everyday strategies in digital media too. Unusual questions, inappropriate requests, questionable stories or simply a “strange overall impression” are important warning signs, regardless of the channel.
• Never give out passwords, confidential information etc. over the phone.
  Ask for the full name and callback number, for example. Or ask for fictitious persons, e.g. a fictitious colleague in the department or a non-existent spouse of the alleged mutual friend.
• Don’t let yourself be put under pressure. Not through alleged time pressure or supposedly necessary secrecy. Not through allegations, threats or flattery. All of these can be used to cloud your judgment. Create a situation in which you can think about requests etc. with a clear head and review them if necessary.
• If possible, check the identity of the person you are speaking to via a reliable, neutral channel. For example, call your company headquarters and ask to be put through to the name given. This call to a manager you have not previously known personally can cause great astonishment on their part – or show that there is no person of this name in your company.
• Make all employees in your company aware of social engineering procedures and protective measures. Encourage your employees to ask the appropriate people if they receive unusual instructions. Make your managers aware of the importance of these inquiries – they can save your company from major damage.
• Plan for emergencies, i.e. in the event of a successful social engineering attack. Develop scenarios and measures to be taken so that you can act immediately if the need arises. This includes technical precautions, but also social ones, e.g. secure, confidential contact points for employees who are being blackmailed or otherwise coerced.
• If you have been the target of a social engineering attack, inform the relevant departments in your company immediately. There is a possibility that you have discovered the signs of an advanced persistent threat. This means a targeted, multi-stage attack on your company, which may include other attack vectors, e.g. spam, keyloggers and ransomware. Your information can be crucial for a successful defense.