Cybersecurity | Attack Vectors | The human factor | Prevention
Most people have heard the term “social engineering” before. But very few can imagine anything concrete by it. We provide insights!
Put simply, social engineering means influencing or deceiving a person. Social engineering also plays a major role in IT security.
But why?
Hackers are like many people. You want to achieve the maximum result with as little effort as possible. Attacks on computers, operating systems or networks are often complex and very extensive. If cybercriminals cannot exploit existing security gaps in software and hardware, they have to put in a lot of effort to successfully carry out an attack on a company. First, a lucrative target must be scouted out. Firewall, VPN, and other protection mechanisms must then be overcome. Gaps and exploits have to be found and ultimately they have to work.
The technical protection that companies apply today to ward off cyber attacks is relatively high. In this respect, it is quite difficult for cybercriminals to overcome systems and penetrate the inside of the company’s IT. In order to achieve their goal, hackers must use alternative attack surfaces. The human being is in the sights and serves as an ideal gateway. Compared to technical defense, there is hardly any investment in the human factor.
Cybercriminals are aware of this security risk. They take advantage of this and target a company’s employees. This can be done directly through a personal call or indirectly through an e-mail.
Also interesting: In its recently published study , Bitkom confirms that a large number of attacks start with social engineering. 41 percent of the companies surveyed said that there were such attempts: 27 percent of those surveyed contacted them by phone and 24 percent by e-mail.
But the goal is always the same. The hacker wants to gain access to sensitive data, documents and information (e.g. login information or bank details) or he wants to take a specific action (e.g. transfer a sum of money)*
This is easy to explain. Cybercriminals use methods that are familiar to manipulate people. Social engineering is encountered almost every day. Be it in dealing with friends, family members or even strangers. With rhetorical means or various psychological approaches, people can be guided and motivated to behave in a certain way. Social engineering can be described as a psychological weapon.
You can read more about the influence of human behavior in the course of social engineering here .
In doing so, the other person must be specifically addressed. Depending on the character, there are other incentives that can appeal to hackers. For example, one employee reacts particularly to flattery, another to special appreciation and yet another reacts particularly to pressure. With the right stimuli, it is possible for cybercriminals to influence people to deliver the desired result.
In IT security, social engineering can occur in very different forms that could not be more different. In addition to pretexting, tailgating or CEO fraud, phishing** is one of the most widespread types.
In phishing, cybercriminals try to obtain sensitive and confidential information using e-mails, fake websites or other methods. Phishing also addresses employees more or less personally. Phishing campaigns are particularly successful if the content of the phishing email is tailored to the addressee or if the recipient feels addressed. According to a study by the US company Proof Points, the following hooks worked particularly well in 2020/2021:
The last few months have clearly shown this. The threat of phishing attacks is constantly increasing. According to the ENISA report, the number of phishing attacks via email increased by more than 600 percent in one month at the beginning of 2020. Perseus can also confirm that phishing attacks are increasing. A study published by Perseus in late summer 2020 shows that more than half of cyberattacks in 2020 were due to phishing.
You can download the complete study on cybersecurity in the home office free of charge here.
Sustainable protection against social engineering and phishing attacks, among other things, requires a sustainable cybersecurity concept. With the same resources that a company spends on technical defense, it should also invest in the “human firewall”. Perseus offers such an awareness package. With extensive online training, useful hints and tips and, above all, automated phishing email simulations, employees are specifically sensitized to attack patterns, trained in dealing with phishing emails and thus noticeably raise the cybersecurity level in the company.
