The 7 most common social engineering tricks in companies

„Amateurs hack systems, professionals hack people” , Bruce Schneier, computer security expert at Harvard University, says aptly. The quote illustrates that the topic of cyber security is more than just the mere security of systems. The human factor is so attractive for hackers because it constantly opens up new criminal possibilities. There are various social engineering and hacking methods – but there is no such thing as one universal scam. This makes it all the more important to know the most common social engineering tricks.

What exactly is social engineering?

The term social engineering describestheemotional manipulation of people to elicit certain behaviors. And it is far from being a new phenomenon. As early as the 17th century, fraudsters were able to heist large sums of money using the scam of the “Spanish prisoner”. Under pretense of being in a Spanish prison and knowing the location of a buried treasure, but refusing to reveal it until their liberation, they sent letters to wealthy people. They finally lent the alleged prisoners money to enable them to escape and to enrich themselves with the treasure. Instead of a treasure, however, they soon had to realize that they had fallen victim to an elaborate fraud. The principle of social engineering has hardly changed to this day, only the channels are different – emails, text messages, private messages in social networks and telephone calls are replacing the letters of the past.

And what is social hacking?

The term social hacking is closely related to social engineering. However, it is not about the general manipulation of humans. Instead, the hackers have a very specific goal in mind. Social hacking is about manipulating, influencing or deceiving people in such a way that control over their computer system can be gained. The criminals usually contact their victims via e-mail, private messages in social networks or telephone. The aim of all methods is to gain illegal access to the data of the user or the associated company. With the increasing amount of data that is publicly available on the Internet, hackers can attack and deceive their victims in an increasingly specific manner. The most common social hacking tricks are therefore listed below. True to the motto “there is nothing that does not exist”, attackers are constantly developing new sophisticated scams.

The 7 most common social engineering tricks in companies

#1: Phishing

Phishing is the attempt to obtain sensitive information such as user names, passwords and credit card data by posing as a trustworthy institution. Mass emails are used to establish the contact, some of which always manage to bypass existing spam filters. Emails that supposedly by popular social networks, banks or auction sites are used to make the recipient uncover sensitive information. The emails are often deceptively genuine and can only be recognized by minor irregularities.

#2: Spear phishing

Spear phishing is a special type of phishing. It is a focused, targeted attack on an organization with the aim of penetrating its defense mechanisms. A spear phishing attack is preceded by a more or less intensive “observation” of the target person or company, so that specific personal information and details can be used to establish contact. The reference to an upcoming company event, a specific colleague or the personal interests of the recipient help to significantly increase the response rate of the recipients – a major risk for companies and the affected users.

#3: CEO fraud

CEO fraud or business email fraud is a situation where an email or a phone call from a superior or the managing director is faked in order to increase the chance that the employees will respond to the contact. Usually, massive pressure is built up, e.g. by the alleged boss pretending to be in an emergency situation and demanding quick action, such as a bank transfer, the release of a file or the release of information.

#4: Baiting

Baiting is literally the process of providing a potential victim with a bait to perform an action desired by the attacker. This can be a link to a supposedly free film download, but also an “accidentally” lost USB stick with the inscription “Dismissal Plan 2018”, which is placed in a public place in the company. As soon as the device is used or a malicious file is downloaded, the victim’s end device is infected and the attacker can access all data.

#5: Quid quo pro

The “quid quo pro” technique is about offering the potential victim the prospect of an advantage so that he or she will disclose information in return. An example would be an alleged call from the IT department pointing out a discovered security risk on the victim’s computer. It is promised that if the security password is only briefly passed on for verification, the problem will be immediately fixed. It is foreseeable how this story typically ends.

#6: Scareware

Scareware (also known as Rogue Security Software or Rough Virus Scanner) is computer malware that deceives or misleads users by pretending to have discovered a security risk. The victim is then asked to pay for the removal of these fake security risks, and the supposed security update turns out to be the actual malware.

#7: Honey pot

In the “honeypot” trick, the victims are contacted online by fictitious, usually very attractive people in order to initiate an interaction. They flirt, give compliments and finally ask for a first photo to be sent. If after some time compromising material (e.g. nude photos, clear intentions, etc.) has been sent, this is used to blackmail the victim and to obtain money and/or passwords, insider information, etc.

spear phishing emails methods

The emotional trap – Manipulating victims to act on impulse

From authority to time pressure to humor: The psychological tactics of hackers are diverse and range from an email of the supposed administrator with a request to change a password, to the fake message of the superior. The attackers exploit the natural hierarchy in a company to corner the victim. In addition to generating negative feelings such as pressure and fear, the hackers often also exploit the curiosity, trust or helpfulness of their victims. They encourage behavior that supposedly helps a third party or offer the prospect of apparently explosive information. A study by the Friedrich-Alexander University Erlangen-Nuremberg shows that the emotional trap is dangerous – 92% of all cyber attacks start with a phishing email, probably the most common social engineering trick.

How can you avoid falling for the social hacking methods in order to protect yourself and your company?

Companies need to be particularly vigilant and sensitize their employees to the dangers from the Internet. For phishing attacks, cyber criminals are increasingly manipulating the emotions of recipients to achieve their goal. Creating pressure, arousing curiosity or triggering fear are just some of the psychological tricks. Preparation and sensitization are therefore essential in all cases. Trained employees who know how to consciously deal with such IT security risks can react early and thus ward off serious incidents in the company. This is one of the reasons why various compliance frameworks, such as ISO 27001 or the DSGVO, require continuous training of employees in IT security topics – in the case of ISO 27001 also a form of simulated social engineering attacks. In addition to information campaigns on cyber security and employee training, for example in the form of digital and interactive learning platforms, phishing simulations are particularly suitable for continuous awareness building in companies.

Take home message:

Cyber security awareness is essential:Even experienced IT professionals fall for the hackers’ tricks. Awareness of what tactics are used by attackers is a first and important step towards cyber security. After all, a healthy degree of caution and knowledge of the perfidious tactics of “social engineers” can protect users from cyber attacks. According to Bitkom, in most cases companies notice hacker attacks only after receiving tips from their employees! Cyber Security Awareness Training made in Germany