Find out more about our phishing simulations and awareness training courses.
Discover the possible applications for your company
Nikolas Rösener
Security Expert
- cyber-security@ohb-ds.de
- 0421220950
Social engineering is an important term not only in today's digital world, but also at home. It is about how attackers exploit the weaknesses and trust of people/employees instead of relying on technical tricks and security loopholes to achieve their goals.
New challenges: IT specialists today must not only implement technical security measures, but also develop a deep understanding of the psychological aspects of social engineering. In this article, we will take a closer look at social engineering, clarify what exactly it means and why it is so relevant.
To understand social engineering, it is crucial to clearly define the term: Social engineering refers to getting people to disclose confidential information, perform actions or make decisions that are usually against their own interests or the interests of their organization. Many types of social and psychological manipulation are used. The attacker often wants to exploit the human characteristics of his victim, such as fear, respect for authority figures, trust and willingness to help.
This manipulation can take many forms, from seemingly harmless SMS or messenger messages in which the attacker pretends to be a family member to beg for money from the victim, to the sophisticated infiltration of large corporations through methods such as phishing. Between these two extremes, there is a wide range of tactics and techniques used by attackers to gain access to sensitive data.
According to a G Data CyberDefence AG survey conducted in 2023, 48% of all companies surveyed were attacked by social engineering. These attacks were mainly carried out by telephone or email. In addition, attempts are also made to gain access to internal company data in private environments or professional networks. According to the Federal Ministry for Information and Security, 66% of all spam emails were attempted cyberattacks.1
As already explained in the definition, social engineering attacks can take many forms. In general, they can be divided into two main categories, with a third, less common category:
Without technical elements
With technical elements
Victim voluntarily approaches attacker
Nowadays, the two larger categories of human-based and computer-based social engineering are increasingly merging. In the following, the categories most frequently encountered in the business world are explained, and strategies for mitigating these attacks are also outlined.
Phishing is considered the most widespread method of social engineering, and almost everyone has seen at least one phishing email in their inbox. In this technique, a malicious actor sends emails that contain malicious attachments or redirect recipients to dangerous websites.
There is now a wide range of phishing variants, from classic spam phishing to highly specialized forms such as whaling, spear phishing or even quishing (QR code phishing), to name but a few. Despite its widespread use, the threat of phishing should by no means be underestimated, as well-executed phishing campaigns are often crowned with great success for the attackers. At this point, it is important to realize that it is enough for just one person in the company to fall for a phishing email.
This technique targets individuals who are active on online dating platforms or social media, for example. The attacker creates fake identities by setting up fake profiles in order to befriend the target person over a longer period of time. The attacker then exploits the "basis of trust" built up in this way to trick the victim into installing malware, transferring money or disclosing confidential company information.
To protect yourself from this tactic, it is vital to create a strong awareness of online security and privacy and to be careful not to give out personal information and financial details lightly.
Baiting is a form of social engineering attack in which the attacker makes false promises in order to trick the victim into disclosing personal data or installing malware.
The baiting method is often initiated by tempting ads or emails, which often take the form of offers for free movie downloads, updates, games and the like. If the victim falls for this deception and enters their password for platforms such as Amazon, for example, the attacker has access to this sensitive data and can misuse it for their own purposes.
Baiting is not limited to the online world; there is also a physical variant where a malware-infected flash drive is given to the victim. As soon as this is connected to the computer, the malware on the drive is automatically installed.
To protect yourself from online baiting, it is strongly recommended that you always keep a critical eye on advertisements and tempting offers. When baiting offline, it is particularly important to never connect flash drives from unknown sources to minimize the risk of malware infection. Raising employee awareness and training in relation to such scams is also recommended.
Diversion theft is a multi-layered cyberattack that originally started offline but is now taking on online variants. This type of attack aims to distract or redirect the victim while carrying out criminal activities.
In offline diversion theft, the attacker manipulates physical events. For example, a thief may convince a courier to pick up a package at the wrong location, deliver the wrong package or deliver a package to the wrong recipient. The diversion usually takes place in the real world and the damage can be significant.
In the online version of Diversion Theft, the attacker uses tactics to steal confidential information from his victim. He tricks the user into sending this information to the wrong recipient by cleverly using distractions and misdirection. The attacker often disguises himself as a known or trusted source to deceive the victim. This is often done by spoofing.
To protect against diversion theft, it is crucial to be vigilant and suspicious, especially of unexpected distractions or communications from supposedly trusted sources. Training employees in online safety, implementing strong security policies and raising awareness of the risks of spoofing are essential defenses against this threat.
Pretexting is a form of social engineering in which the attacker invents clever scenarios or pretexts to persuade the target to disclose sensitive data.
The attacker can assume the role of an authority figure (such as lawyers, law enforcement agencies or tax consultants) or pretend to be interested in the target (such as talent scouts or event organizers). In this context, the attacker would explain plausible reasons to the victim and ask targeted questions to gain additional information. This collected data is used to employ other techniques to obtain even more sensitive information or even gain access to the victim's personal accounts.
Increased vigilance plays a key role in protecting against pretexting attacks. Above all, this means not disclosing personal or sensitive information carelessly and carefully verifying the identity of people who request such information. Raising employee awareness and training in relation to social engineering are very important here.
Business Email Compromise (BEC) is a sophisticated social engineering tactic in which the attacker cleverly pretends to be a trusted executive who is authorized to direct activities related to a company's financial affairs, for example.
In this attack scenario, the fraudster carefully observes the executive's behavior over a longer period of time and creates a fake email account using spoofing techniques. The attacker then uses this fake identity to send targeted emails to the executive's employees. In these fake messages, recipients are instructed to make bank transfers, change bank details and carry out other financial transactions.
BEC attacks can result in serious financial losses for organizations. Unlike other cyber fraud methods, BEC attacks do not necessarily rely on malicious URLs or malware that can be intercepted by traditional cybersecurity tools such as firewalls or endpoint detection and response (EDR) systems. Instead, BEC attacks are based on an intimate knowledge of the victim's personal behavior. This makes them particularly insidious as they are often harder to monitor and detect, especially in large organizations.
The threat of BEC attacks underscores the need for employee training and awareness, as well as the implementation of effective monitoring and security policies to minimize the impact of this fraud method.
The quid pro quo attack is a social engineering tactic in which the attacker pretends to provide a positive service for the victim, often in connection with supposed IT problems that are supposed to be fixed, such as poor internet connections or security updates.
If the victim responds to this supposedly helpful gesture, the attacker often requests the "necessary" credentials to fix the supposed problem. Once the victim has provided this information, the attacker uses it to intercept data or even infect the network with malware. There is also the possibility that the malicious actor will use this access to apply further social engineering techniques with a much better chance of success.
In order to mitigate this method, comprehensive knowledge of social engineering is crucial for all employees. In addition, clear guidelines and policies should be established that prohibit the disclosure of login data, even to supposed IT support staff.
SMS phishing, also known as smishing, is a form of phishing attack in which the fraudster attempts to trick the victim into following a malicious link via SMS. As this is a special variant of phishing, similar precautions apply as with conventional phishing attacks, which were discussed previously.
Tailgating, also known as "piggybacking", is a physical form of intrusion into company premises. In this method, the attacker often lurks at secured entrances, expecting an employee to open the door with their access credentials, thereby knowingly or unknowingly letting the intruder in. Methods for doing this often include pretending to have forgotten the access chip or similar authorization at home. Alternatively, the attacker can also say in a simple way: "Wait a minute, I need to get in too!" in the hope of enticing the employee to hold the door open for the intruder for a moment.
After a successful intrusion, there are numerous opportunities for the attacker not only to explore the building, but also to steal more sensitive documents, compromise the company network, attempt to install malware and much more.
To prevent this method of intrusion, it is essential to provide an appropriate level of training and awareness training for all employees, highlighting the dangers.
Social engineering is not a new phenomenon; deceiving people by pretending to want good things in order to exploit trust has existed since the dawn of civilization. In modern times, however, the acceleration of our communication and especially the increase in non-personal communication has brought this type of deception even more to the fore.
A vivid example of social engineering is Robin Sage, a fictional character created by security expert Thomas Ryan in December 2009. This experiment resembled a honeypot attack. Ryan created several profiles on social media platforms using the fictitious identity and made targeted contacts, primarily with security experts, military personnel, intelligence agency employees and defense agencies.
Despite the false profile, Robin Sage received offers for consultancy work, including from companies such as Google and Lockheed Martin. Over a period of two months, Thomas Ryan managed to obtain email addresses, bank details and even location information of secret military bases.
In its report "The State of IT Security in Germany 2023", the German Federal Office for Information Security describes the possibility of using Generative Artificial Intelligence (GKI) in the field of social engineering.1 GKI models designed to generate human-like texts or even voices enable attackers to create even more convincing and customized deceptions.
With CCI, social attacks can be taken to a new level. Malicious actors can create personalized phishing emails, fraudulent phone calls or fake social media profiles based on the individual characteristics of their potential victims. This can make fraudulent activity more difficult to detect and reduce the effectiveness of security training.
The impact of this technology on cyber security requires increased attention and proactive measures. Organizations must constantly update their security infrastructures to be prepared for the advancing capability of CCI in social engineering scenarios. Additionally, it is critical to raise employee awareness of this specific threat to ensure a better defense against such attempts at deception.
Attackers use human vulnerabilities in social engineering, such as the desire to solve things quickly and easily in order to achieve their goals. This makes this type of attack particularly difficult to thwart reliably.
In order to protect yourself as effectively as possible against this threat, a number of protective measures should be implemented:
Due to its complexity and the human attack vector, social engineering is generally considered to be difficult to defend against one hundred percent in the IT security industry. Nevertheless, the measures discussed in the article and thorough awareness training for all employees can significantly reduce the likelihood of a successful attack.
Social engineering attacks do not necessarily have to be extensive, but can also be launched within a few minutes. Furthermore, a successful attack usually opens the door to even more serious attacks.
If you discover that your company has been the victim of a social engineering attack, quick action is crucial - time is precious. Report the incident immediately to your internal security incident contact point and don't be afraid to involve your internal and possible external experts to take appropriate action quickly.
If you need external insight, our IT security experts are available for a free initial consultation free of charge. We will be happy to help you assess the situation and take appropriate action.
In the first step, the topic of social engineering is developed in collaboration with the audience. This involves the various types of social engineering and raising awareness of the topic.
Once the foundation for the topic has been laid, a brief description of the current threat situation in social engineering and how professionally attackers are now proceeding follows.
Social engineering is then demonstrated using the example of a phishing attack. The following four attack steps of the "cyber kill chain" are examined
Finally, we will talk in detail about countermeasures and how you can better protect yourself against social engineering attacks in the future.
Use the knowledge from space travel for your business. OHB Digital Services GmbH has been a reliable partner for secure & innovative IT solutions for many years. We are part of one of the most successful space and technology companies in Europe. With our products and services, we support you in the digitalization of your business processes along the value chain and in all security-related issues. Please feel free to contact us.
1 See The state of IT security in Germany in 2023: in: Federal Office for Information Security, n.d., https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2023.pdf.
OHB Digital Services GmbH
Konrad-Zuse-Str. 8
28359 Bremen
You need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Turnstile. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information