Risks from the web are often difficult to assess – but it is a fact that in 2020 nine out of ten companies were victims of a cyber attack. In our post series on internal and external cyber risks, we shed some light on this topic: This time, we focus on Social Engineering and the question of how companies should react to the manipulation of their employees, which is becoming more explosive during the pandemic. After all, cybercriminals have long since identified humans as the supposed weakest link in IT security.
What is Social Engineering?
The term Social Engineering describes a scam used by cybercriminals to elicit confidential data from employees in companies or private individuals or to get them to install malware without being noticed. In most cases, the hackers’ aim is to extort ransom, protection or hush money and thus enrich themselves. For this purpose, they exploit human behaviors such as trust, curiosity, fear, or respect for authority – similar to trickery at the front door.
Since Social Engineering aims at the psychological manipulation of people, this context is also referred to as Human Hacking or Social Hacking. “Amateurs hack systems, professionals hack people,” says renowned computer security expert Bruce Schneier. This is because the human factor constantly provides cybercriminals with new occasions for criminal activity. Nine out of ten security incidents can be traced back to human error, causing immense economic damage every year. It is therefore critical for companies to know the relevant attack techniques in the area of Social Engineering and to equip their own staff with the appropriate knowledge. This ensures that suspicious events can be met with the necessary mistrust in the future.
Social Engineering: You should know these 7 methods
Social Engineering is becoming increasingly clever and targeted, which is proving to be a major security risk for companies and their employees. Those who know current attack techniques can respond strategically. It is not uncommon for hackers to combine different methods to perfectly disguise the cyber attack:
1. Phishing & Spear Phishing
Phishing is probably the best-known form of Social Engineering: Employees in companies or private individuals are tricked by fake e-mails, SMS or social media messages into clicking on a contaminated link and entering personal login data on a fictitious website. This information is used for data misuse.
In the past, Phishing messages were relatively easy to spot due to grammatical errors, missing salutations or translation mistakes. Today, it is becoming increasingly difficult to identify them. One example of this is Spear Phishing: Unlike conventional Phishing attacks, which are directed at a large number of addressees, cybercriminals use the more targeted Phishing variant to address individual employees or small groups. For individual targeting, search engines are searched for people and e-mail addresses, and personal relationships are analyzed via social networks. This results in messages with a real connection to colleagues, company events or individual interests. According to the German Federal Ministry for Information Security (BSI), this approach increases the potential “hit rate” of hackers.
Cybercriminals who use Pretexting want to gain the trust of their potential victims by means of a pretext or a freely invented scenario in order to persuade them to hand over personal data. This is intended to facilitate access to protected IT systems. In Pretexting, attackers pretend to be IT staff or bank employees on the phone, for example: They claim to be trying to help fix an urgent problem, which, however, is fictitious.
Pretexting is often combined with other attack techniques. By faking situations, they repeatedly succeed in bypassing the human mind. As a result, victims make decisions based on emotions – leading to significant cyber security failures.
3. CEO Fraud
As a special form of Pretexting and Spear Phishing, CEO Fraud is a particularly popular method used by Internet fraudsters. Here, the authority of the superior is used and pressure is built up. The Social Engineer slips into the role of the management and requests employees to disclose important data by means of deceptively real-looking e-mails or fictitious telephone calls. Often, an emergency situation is presented that requires courageous action. For example, the accounting department is asked to quickly carry out a business-critical money transfer.
This perfidious procedure is based on the assumption that employees are more likely to put defined security regulations on hold when asked to do so by superiors. Who will not want to assist their boss with urgent business matters? Since hackers have usually spied on the company and employees in question in advance, the messages seem particularly realistic. Quite often, even the characteristic style of superiors is imitated. The attack technique became public, among other things, through an e-mail with the sender @ceopvtmail.com, which the Federal Criminal Police Office warned about a few years ago.
Baiting can be interpreted as “luring” – and that’s exactly what this Social Engineering tactic is all about. Employees are lured with something interesting to entice them to take a desired action. Bait can be digital media such as links to supposedly free music or movie downloads. If the infected file is downloaded, malware spreads through the networked computer in the system – the attacker can access confidential information unnoticed and turn it into money.
The example of the much sought-after Playstation 5, which is currently sold out everywhere, shows how hackers are currently acting. Here, social engineers use links to a store where you can supposedly still buy the out-of-stock console. Criminal intentions are also pursued with this trick. Baiting is not limited to the digital world: tricksters also use physical objects to exploit human curiosity (more on this under Tailgating and Media Dropping).
Social Engineering attacks also take place in the real world – usually in the course of a method called Tailgating. In this case, the attacker gains physical access to a company site or building, for example, to carry out Media Dropping (see below). In a typical scenario, he/she poses as a package delivery person or service technician and follows an employee unnoticed through the entrance area. This is how “slipping through” succeeds. Where electronic access controls or security personnel block the way, additional Pretexting is used. For example, the stranger could pretend to be a new colleague. In many cases, the conversation is sought with employees – with the aim of feigning familiarity and entering the company together.
6. Media Dropping
Media Dropping relies on the interaction of analog and digital activities. Attackers use storage media infected with malware, such as USB sticks, flash drives, or CDs, and leave them behind in companies – often in the course of tailgating. The media are disguised as lost items or giveaways for employees to discover and plug in out of curiosity. Since they usually contain spyware or bots for DDoS attacks, entire systems can be inadvertently taken down. In the past, attackers also chose the postal route and sent letters with attached storage media. Here, too, the aim was to arouse the recipients’ interest so that they would open the medium and inadvertently infect their computers. If employees are specifically enticed to open files by labels on the storage media, such as “Salary increases 2022,” the attacker combines the tactics of Media Dropping and Baiting.
7. Quid pro Quo
According to the Latin expression “Quid pro Quo,” a giving person should receive an appropriate return. Hackers proceed in exactly the same way with their potential victims in the Social Engineering method with the same name: They hold out the prospect of an advantage if requested information is passed on or actions are carried out. This happens, for example, in the course of a fake phone call: The Social Engineer pretends to be a colleague from the IT department and offers support with an allegedly necessary software update. The victim is promised a quick and easy solution, which, however, installs malware on the computer. Often, the personal security password is requested in this scam. In many cases, the approach is also flanked by Spear Phishing messages in order to quickly convince the victim.
Identify human hacking and protect your own company
Social Engineering attacks are steadily increasing, but they can be prevented. However, technical solutions such as firewalls or antivirus programs have no effect here. In view of the human-centric approach, companies are faced with the task of sharpening their own employees’ understanding of security and building them up into a human firewall. Targeted training measures such as Phishing campaigns and Security Awareness Training can make a significant contribution to closing the “human vulnerability”. In this way, employees learn in a practical way how to protect themselves and the company from cyber attacks, even from the home office – and how to identify risks in advance.
In this context, it is worthwhile to address the individual level of knowledge and to offer training courses with different levels of difficulty. When making their selection, decision-makers should also ensure that the training courses are conducted by experienced security specialists. They should be familiar with current attack methods and regularly put a stop to cybercriminals themselves. Last but not least, it is important to conduct the training courses at regular intervals in order to keep the internal level of knowledge up to date – especially in view of the fact that Social Engineering tactics are constantly changing.