"Organizations invest millions of dollars in firewalls and security systems, wasting their money because none of these measures take into account the weakest link in the security chain: users and system administrators." – Kevin Mitnick, former hacker and expert in social engineering
The least protected barrier for IT attackers is people themselves. Employees often unwittingly open the gates for so-called social engineers and can significantly influence the outcome of cyber attacks.
What is social engineering?
Social engineering thus specifically targets people who – precisely because of their "human weakness" – can be tempted to make mistakes. By cleverly deceiving and manipulating employees, professionals bypass the extensive security precautions of companies, sometimes effortlessly. This is how they obtain sensitive information or infiltrate internal systems with malware.
How do social engineers operate?
"Show me who you are!": Social engineering attacks are most successful when they target specific individuals. In this case, the attackers are well-informed about you, which makes it much easier for them to convince you – for instance, by dropping the right names and keywords during a conversation to inspire confidence.
Social media – a paradise for social engineers: On social networks, we reveal much more about ourselves than we think. This is why they are a paradise for social engineering.
- Be sparing with any kind of information.
- Restrict access to your profile content.
- Never give your date of birth, as this information is often used for identification.
- Be wary of unknown contact requests.
But what could someone possibly do with your job title, the name of your colleague or the Facebook post about the last company party? You'll find out in the next section.
"Trust me!": Attackers specifically use personal and professional information to convince you of their false identity. So, the caller has already spoken to your colleague Ms. Herbst about a particular project? Or does he remind you that in your position you are dealing with sensitive data, which is why he would like to secure your account? He explains to you that he was the photographer at the last company party and would like to send you the photos via a link? The psychological tricks used by attackers to elicit information from you are many and varied.
"I would like to help you!": Did the attacker convince you with his knowledge and friendly demeanor? Then he may have found the loophole he was looking for. The alleged "support employee" helpfully connects to your computer or sends you an important link via email. You have made the fatal mistake of providing your login data upon request or opening the link in the email? Then you may now have to deal with spyware or malware!
The many faces of social engineers
You're wondering what social engineers resort to most often? Social engineering can have many faces and the attack does not always happen digitally straightaway.
Pretexting: Social engineers first provide a pretext in writing or by phone to soften you up for the actual attack. With a good reason, they eliminate some doubts.
Phishing: Possibly the most common form of social engineering. These are emails that give a trustworthy impression and aim at tapping sensitive data. Victims unknowingly install malware or disclose the information themselves in good faith. For further information on phishing, see our Phishing section.
Tailgating: The "colleague" slipping through the entrance door with you or the "bypasser" who urgently wants to borrow your phone. Attackers take advantage of carelessness or helpfulness for their criminal goals.
Placement of malicious storage devices: Never connect found flash drives or other storage devices to your laptop or computer – no matter if for business or private use. These may also be deliberately placed malware!
Look for these signs to expose dubious emails or calls
Now you know how social engineers work and which typical gateways they use. But what are the warning signals you should look out for specifically?
- Are you being threatened with consequences (fees, legal orders)?
- Are you asked for confidential data (login or bank details, company internals)?
- Are you put under (time) pressure (deadlines and urgency notes)?
- Is it a suspicious URL or an unencrypted website (https abbreviation and lock symbol are missing)?
Always reject suspicious calls and be alert for dubious emails!
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.