What is social engineering?

Phishing is considered the most widespread method of social engineering, and almost everyone has seen at least one phishing email in their inbox. This technique involves a malicious actor sending emails containing malicious attachments or redirecting recipients to dangerous websites.

A wide variety of phishing variants now exist, ranging from classic spam phishing to highly specialized forms such as whaling, spear phishing or even quishing (QR code phishing), to name but a few. Despite its widespread use, the threat of phishing should by no means be underestimated, as well-executed phishing campaigns are often crowned with great success for the attackers. At this point, it is important to realize that it is enough for just one person in the company to fall for a phishing email.

This technique targets individuals who are active on online dating platforms or social media, for example. The attacker creates fake identities by setting up fake profiles in order to befriend the target person over a longer period of time. The attacker then exploits the "basis of trust" built up in this way to trick the victim into installing malware, transferring money or disclosing confidential company information.

To protect yourself from this tactic, it is crucial to create a strong awareness of online security and data protection and to be careful not to disclose personal information and financial details carelessly.

Baiting is a form of social engineering attack in which the attacker makes false promises to trick the victim into revealing personal information or installing malware.

The baiting method is often initiated by enticing ads or emails, which often take the form of offers for free movie downloads, updates, games and the like. If the victim falls for this deception and, for example, enters their password for platforms such as Amazon, the attacker has access to this sensitive data and can misuse it for their own purposes.

Baiting is not limited to the online world; there is also a physical variant where a malware-infected flash drive is given to the victim. As soon as this is connected to the computer, the malware on the drive is automatically installed.

To protect yourself from online baiting, it is strongly recommended that you always keep a critical eye on advertisements and tempting offers. When baiting offline, it is particularly important to never connect flash drives from unknown sources to minimize the risk of malware infection. Raising employee awareness and training in relation to such scams is also recommended.

Diversion theft is a multi-layered cyberattack that originally started offline but is now taking on online variants. This type of attack aims to distract or divert the victim while criminal activity is carried out.

In offline diversion theft, the attacker manipulates physical events. For example, a thief may convince a courier to pick up a package at the wrong location, deliver the wrong package or deliver a package to the wrong recipient. The diversion usually takes place in the real world and the damage can be significant.

In the online version of Diversion Theft, the attacker uses tactics to steal confidential information from his victim. He tricks the user into sending this information to the wrong recipient by cleverly using distractions and misdirection. The attacker often disguises himself as a known or trusted source to deceive the victim. This is often done by spoofing.

To protect against diversion theft, it is crucial to be vigilant and suspicious, especially of unexpected distractions or communications from supposedly trusted sources. Training employees in online safety, implementing strong security policies and raising awareness of the risks of spoofing are essential defenses against this threat.

Pretexting is a form of social engineering in which the attacker invents clever scenarios or pretexts to persuade the target to disclose sensitive data.

The attacker may assume the role of an authority figure (such as lawyers, law enforcement agencies or tax consultants) or pretend to be interested in the target (such as talent scouts or event organizers). In this context, the attacker would explain plausible reasons to the victim and ask targeted questions to gain additional information. This collected data is used to employ other techniques to obtain even more sensitive information or even gain access to the victim's personal accounts.

To protect yourself against pretexting attacks, increased vigilance plays a central role. Above all, this means not disclosing personal or sensitive information carelessly and carefully verifying the identity of people who request such information. Raising employee awareness and training in relation to social engineering are very important here.

Business Email Compromise (BEC) is a sophisticated social engineering tactic in which the attacker cleverly pretends to be a trusted executive who is authorized to direct activities related to a company's financial affairs, for example.

In this attack scenario, the fraudster carefully observes the executive's behavior over an extended period of time and creates a fake email account using spoofing techniques. The attacker then uses this fake identity to send targeted emails to the executive's employees. In these fake messages, recipients are instructed to make bank transfers, change bank details and carry out other financial transactions.

BEC attacks can result in serious financial losses for organizations. Unlike other cyber fraud methods, BEC attacks do not necessarily rely on malicious URLs or malware that can be intercepted by traditional cybersecurity tools such as firewalls or endpoint detection and response (EDR) systems. Instead, BEC attacks are based on intimate knowledge of the victim's personal behavior. This makes them particularly insidious, as they are often more difficult to monitor and detect, especially in large organizations.

The risk of BEC attacks underscores the need for employee training and awareness, as well as the implementation of effective monitoring and security policies to minimize the impact of this fraud method.

The quid pro quo attack is a social engineering tactic in which the attacker pretends to perform a positive service for the victim, often in the context of supposed IT problems to be fixed, such as poor internet connections or security updates.

If the victim responds to this supposedly helpful gesture, the attacker often requests the "necessary" credentials to fix the supposed problem. Once the victim has disclosed this information, the attacker uses it to intercept data or even infect the network with malware. There is also the possibility that the malicious actor will use this access to apply further social engineering techniques with a much better chance of success.

To mitigate this method, a comprehensive knowledge of social engineering is crucial for all employees. In addition, clear guidelines and policies should be established that prohibit the disclosure of login credentials, even to supposed IT support staff.

SMS phishing, also known as smishing, is a form of phishing attack in which the fraudster attempts to trick the victim into following a malicious link via SMS. As this is a special variant of phishing, similar precautions apply as for conventional phishing attacks, which were discussed previously.

Tailgating, also known as "piggybacking", is a physical form of intrusion into company premises. In this method, the attacker often lurks at secured entrances, expecting an employee to open the door with their access credentials, thereby knowingly or unknowingly letting the intruder in. Methods for doing this often include pretending to have forgotten the access chip or similar authorization at home. Alternatively, the attacker can also say in a simple way: "Wait a minute, I need to get in too!" in the hope of enticing the employee to hold the door open for the intruder for a moment.

After a successful intrusion, there are numerous opportunities for the attacker to not only explore the building, but also steal more sensitive documents, compromise the corporate network, attempt to install malware and much more.

To prevent this method of intrusion, it is essential to provide an appropriate level of training and awareness training for all employees, highlighting the dangers.

Social engineering attacks do not necessarily have to be extensive, but can also be launched within a few minutes. Furthermore, a successful attack usually opens the door to even more serious attacks.

If you discover that your company has been the victim of a social engineering attack, quick action is crucial - time is precious. Report the incident immediately to your internal security incident response team and don't be afraid to involve your internal and possible external experts to take appropriate action quickly.
If you need external insight, our IT security experts are available for a free initial consultation. We will be happy to help you to evaluate the situation and take appropriate steps.

In the first step, the topic of social engineering is developed in collaboration with the audience. This involves the various types of social engineering and raising awareness of the topic.

Once the foundation for the topic has been laid, a brief description is given of the current threat situation with social engineering and how professionally attackers now operate.

Social engineering is then shown in concrete terms using the example of a phishing attack. The following four attack steps of the "cyber kill chain" are examined

• Reconnaissance (Reconnaissance)
• Enumeration (social engineering techniques)
• Exploitation (execution of attack)
• Lateral Movement (consolidate access)

Finally, we will talk in detail about countermeasures and how you can better protect yourself against social engineering attacks in the future.