Social Engineering – The hacking of people!

Blog Cybersecurity Phishing
Pic Source: Siavash Ghanbari via Unsplash

Most people have heard the term “social engineering” before. But very few people have a concrete idea of what it means. We provide insights!

Simply put, social engineering means influencing or deceiving a person. Social engineering also plays a major role in IT security.

But why?

Hackers are like many people. They want to achieve the maximum result with the least possible effort. Attacks on computers, operating systems or networks are often elaborate and very extensive. If cybercriminals cannot exploit existing security gaps in software or hardware, they have to put a lot of effort into successfully carrying out an attack on a company. First, a lucrative target must be spied out. Then, firewall, VPN and other protection mechanisms must be overcome. Gaps and exploits have to be found and, ultimately, they also have to work out.

The technical defense that companies put in place today to fend off cyberattacks is relatively high. In this respect, it is made quite difficult for cyber criminals to overcome systems and infiltrate the inside of a company’s IT. In order to still reach their target, hackers have to find alternative means to attack. In this context, people are targeted and serve as an ideal gateway. Compared to technical defense, hardly any investment is made in the human factor.

The human factor as a safety risk

Cyber criminals are aware of this security risk. They exploit it and target a company’s employees. This can happen directly through a personal call or indirectly through an e-mail.

Also interesting: In its recently published study, Bitkom confirms that a large number of attacks start with social engineering. 41 percent of the companies surveyed said that such attempts had been made: 27 percent of respondents were contacted by phone and 24 percent by e-mail.

However, the goal is always the same. The hacker wants to gain access to sensitive data, documents and information (e.g. login information or bank data) or he wants to obtain a certain action (e.g. transfer of a sum of money)*.

Why does social engineering work?

This is easy to explain. Cybercriminals use familiar methods to manipulate people. Social engineering is something we encounter almost every day. Be it in dealings with friends, family members or even strangers. With rhetorical means or various psychological approaches, people can be specifically guided and motivated to display a certain behavior. Social engineering can be described as a psychological weapon.

For more information on how to influence human behavior in the course of social engineering, you can read here.

In doing so, the counterpart must be specifically addressed. Depending on their character, different incentives work to appeal to hackers. For example, one employee reacts particularly to flattery, another to special appreciation, and yet another reacts particularly to pressure. With the right stimuli, it is possible for cybercriminals to influence people to deliver the desired result.

Phishing, the most widespread form of social engineering

In IT security, social engineering can take many different forms, which could not be more different. In addition to pretexting, tailgating or CEO fraudphishing** is one of the most widespread types.

In phishing, cybercriminals try to obtain sensitive and confidential information using e-mails, fake websites or other methods. Phishing also involves employees being addressed more or less personally. Phishing campaigns are particularly successful if the content of the phishing e-mail is tailored to the recipient or if the reader feels addressed. According to a study by the U.S. company Proof Points, the following hang-ups worked particularly well in 2020/2021:

  1. Phishing campaigns targeting Corona, COVID-19 and related health alerts.
  2. Phishing campaigns informing about software used in the company, e.g. Microsoft Exchange or Outlook
  3. Phishing campaigns offering employee benefits, e.g. free month at Netflix, or coupons at Amazon and Starbucks

The last few months show it clearly. The threat of phishing attacks is steadily increasing. According to the ENISA report, the number of phishing attacks via email increased by more than 600 percent in one month in the early 2020s. Perseus can also confirm that phishing attacks are on the rise. A study published by Perseus late summer 2020 shows that more than half of cyberattacks in 2020 were due to phishing.

How do companies protect their employees?

Sustainable protection against social engineering and phishing attacks, among others, requires a long-term cybersecurity concept. With the same resources that a company devotes to technical defense, it should also invest in the “human firewall”. Perseus offers such an awareness package. With extensive online training, useful hints and tips and, above all, automated phishing email simulations, employees are specifically sensitized to attack patterns, trained in dealing with phishing emails and thus the cyber security level in the company is noticeably raised.

* Source: Current survey by Bitkom | August 2021.
** The term phishing here also includes subtypes such as spear phishing, voice phishing/vishing, smishing, social media attacks, business email compromise, etc.