Why bother with overcoming technological hurdles, when the path to a company can also lead through its employees? Many hackers might think that way or similarly. Because the fact is: For cyber criminals it is becoming increasingly difficult to hack into foreign systems due to the ever-improving technical defense systems of companies. The manipulation of an employee or a customer seems much easier in comparison.
This kind of exploitation of human vulnerabilities has become known as social engineering. More precisely, it is about tricking people with sophisticated methods, hiding the real identity and intent of the fraudster. However, social engineering is not new: people have been manipulated in the past, for example over the telephone. But the Internet is opening up tons of new, even easier opportunities for fraud.
What strategy are perpetrators pursuing in social engineering?
The intentions that the perpetrators pursue with social engineering can be of a very different nature: while one tries to get inside knowledge of the company, the next might want to put malware into circulation and yet another will try to have employees transfer money.
The cybersecurity company Proofpoint regularly publishes a study called "The Human Factor". In the current version of 2018, the security experts summarize how the victims of social engineering are usually tricked:
- The perpetrators create a sense of urgency.
- The perpetrators imitate trusted brands.
- The perpetrators abuse the natural curiosity of people.
- The perpetrators exploit memorized reactions to frequent events such as software updates.
Of course, the success of social engineering depends in large part on the fraudsters' approach. Large-scale, general-purpose campaigns are usually easier for victims to detect than attempts to commit frauds that are specific to a few or even a single employee – exceptions here confirm the rule.
How do you recognize social engineering in everyday work?
You can probably guess it already: There is no single social engineering scam. Instead, a variety of threats aimed at exploiting the human error of employees and customers lurk in the digital business world.
We have already pointed out the great danger posed by phishing in our Email Security White Paper. Faking emails or URLs as true as possible to the original in order to get passwords, payment information or other sensitive data of a user or company has been the most commonly used tactic in 2018, with more than 210 million known cases, according to a study by Trend Micro. Last but not least, spear phishing, which is even more individualized and targeted, is likely to have an influence on this development.
The goal of CEO Fraud, a variation on classic phishing, is to manipulate a company's employees to transfer money to a fraudster in good faith. The perpetrators pose as a manager, divisional director or the like in an email and pretend to need money for a valid reason as soon as possible – specifying a wrong bank account of course. So far, CEO frauds are said to have caused more than $3 billion in damage, according to the SEO Fraud Prevention Manual.
Of course, the social web also provides cybercriminals with a suitable platform for harming businesses. With so-called angler phishing, scammers intercept communication between users and businesses to gain access to trusted information. You wonder how that works? The perpetrators pretend to be a corporate account and redirect the conversation to their fake profile. Of course, angler-phishing primarily affects the user, but it also represents a major danger for companies: they will suffer from damages to their trust, image and revenue losses.
When entering a domain, a typo can easily sneak in – that's only human after all. However, some cybercriminals shamelessly exploit this kind of "wrongdoing." Typosquatting is the social engineering scam in which scammers register domains that consider likely typos or alternative spellings of well-known domains in order to direct users to their website. Not infrequently, these fake domains spread malware, phish for sensitive data, or pursue other criminal purposes. That's why they are often part of phishing emails. Often the fraudsters use typosquatting to fake email addresses. The threat to businesses lies not only in the loss of trust, image and revenue, but also in the potential deception of their employees through typosquatting domains and emails.
Of course, the four types of scams are just a small selection of today's social engineering possibilities. Due to technological progress in particular, companies are constantly being exposed to new forms of social engineering. So caution is the top priority.
Measures against social engineering
The question remains as to how companies can protect themselves from social engineering. Training employees certainly is a good start. In accordance with the basic rules of the German Federal Office for Information Security, we recommend providing your staff with the following know-how:
- Confidential information, such as passwords or bank details, must never be disclosed by email or telephone.
- If there is uncertainty as to whether an embezzler is hiding behind an email, the motto is: better not to react than to fall for the scam. In an important case, the sender will try to contact you through another route.
- In the case of supposedly urgent emails, it is advisable to check the authenticity of the sender by telephone.
- Neither personal nor business information should be shared on social media as it could be misused for deceptive purposes.
- Conspicuous incidents must be reported immediately to the IT department.
In addition, as a company, you have the following options:
- Encrypt and sign your email communication digitally, for example via S/MIME certificates, thus protecting yourself from phishing of various kinds.
- Register potential typo-domains yourself and redirect them to your website to avoid the dangers of typosquatting.
- Always keep an eye on social media fake accounts and report them to avoid angler phishing and social web threats.
- And last but not least, live up to the desired cyber-security awareness yourself.