People make mistakes – our limited rationality makes us vulnerable. The best IT security solution is of no use if people fall out of its focus. Even in times of digitalization, there is usually a sentient being sitting at the other end of the screen. And it is precisely this emotionality that so-called “social engineers” make use of: They are not only concerned with the mere “fishing” of access data, pin codes or trade secrets. Rather, social manipulation is intended to persuade victims of this form of cybercrime to do things that are not in their interest or in the interest of their employer. Thus, it is not the IT systems that are the focus of the social engineers, but their users.
The emotional trap
From fear to authority to time pressure to humour: the tactics of hackers are wide-ranging and differ strategically from the email of the supposed administrator who requests a change of password to the fake message of the company superior. CEO fraud, for example, is the term used to describe social engineering attacks in which the fraudsters impersonate the managing director or board member of a company. Usually such e-mails exert massive pressure on the receiver, e.g. because the alleged boss pretends to be in an emergency situation and demands quick action such as a bank transfer, the activation of a file or the release of information. In these cases, the attacker uses the natural hierarchy in a company to corner the victim.
In addition to utilizing negative feelings such as pressure or fear, hackers often exploit the curiosity, trust or helpfulness of their victims. For example, they encourage behaviour that supposedly helps a third party or bait potential victims with the prospect of apparently sensitive information. For example, a study conducted in 2015, in which USB sticks were distributed on the campus of the University of Illinois, showed that 48 percent of the sticks were stored and the files on them were opened.
An overview of the individual tactics can also be found in our awareness poster, which we created for the BSI Alliance for Cyber Security: https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/partner/20190116_Awareness_Poster_SoSafe.html
Security awareness is indispensable: even experienced IT professionals fall into the trap of hackers. Awareness of the tactics used by attackers is a first and important step towards improved cyber security. A healthy degree of caution and knowledge of the perfidious tactics of “social engineers” can help protect users from cyber attacks. According to Bitkom, the most likely way for companies to notice hacker attacks is thanks to employee alerts. You should always remain vigilant and pay attention to certain phishing indicators, such as directly requesting password data or money, try to verify the sender in case of doubt and inform yourself about current fraud and phishing waves. In the current report concerning IT security in Germany, the Federal Office for Information Security, for example, sums it up as follows:
“Effective protection against cyber attacks is only possible if general dangers in cyber space and one’s own general endangerment are at least known approximately. This knowledge is a prerequisite for selecting suitable preventive and reactive measures and creating a basis for your own risk analyses”.
Always be careful – even supposed e-mails from colleagues, friends and superiors can come from unknown senders. If in doubt, make sure that the e-mail is legitimate by calling the sender.
Put as little personal information about yourself as possible on the net. Be especially responsible with social networks.
Choose your password carefully and do not share it with supervisors or system administrators. If absolutely necessary, it should only be done in direct contact.
… and your employees
Increase the hazard and risk awareness of your employees.
Offer your employees training and sensitize them to the psychological tricks of the social engineers.
SoSafe tests, sensitizes and trains your employees in the correct handling of all types of social engineering attacks. We train your employees with a modern, easy-to-use SaaS tool and simulated attacks in the correct handling of cyber risks. Ask now for a non-binding test run at SoSafe. This will give you initial transparency about how vulnerable your organization is to such attacks.
sosafe-awareness.com Cyber Security Awareness made in Germany
Text: Maximiliane Overhage