Bürogebäude, aus dem digitale Datenströme in einen Abfluss fließen, symbolisiert Datenverlust in Unternehmen.
May 22, 2024   Julius Seyer
Information Security | Social Engineering

Social Engineering: A Part of Our Everyday Life

Many people enjoy manipulating others to gain an advantage in a situation. This can serve various purposes, such as avoiding or assuming responsibility, marketing a product, winning elections, or obtaining information. Manipulation is omnipresent, and almost everyone uses it being consciously or unconsciously. Methods of manipulation have evolved due to societal changes but also due to advances in technology. Sometimes, manipulation occurs in a socially appropriate and permissible manner. However, more often than not, it goes too far, turning manipulation into an attack. It is important to recognise and protect ourselves against these.

Social Engineering

An example of such an attack is known as social engineering. This is one of the most common modern methods used to acquire sensitive information through targeted manipulation. Attackers attempt to gain critical information by appealing to our softer human qualities. This can be done by exploiting helpfulness, fear, urgency, or respect for authority. Social engineering generally follows a certain pattern:

  • Information Gathering:
    First, information about the target person is collected using public and freely accessible sources to create a better profile. This can include details about the employer; names of supervisors; the number of employees; the general company structure and individual roles; work routines; social media activities and related locations and actions.
  • Establishing Contact:
    Next, contact is made with the target person, typically via telephone or e-mail.
  • Impersonation and Legitimacy:
    Once contact is established, the attacker pretends to be someone with a seemingly legitimate reason to request critical information. Typical examples include an administrator needing a password, a service provider requiring access to systems, a government official requesting information, or a supervisor quickly assigning a task. The attacker may create a sense of urgency and use technical jargon to make the situation seem critical.
  • Exploitation:
    The target person might be asked to run certain programmes that allegedly help resolve a problem or instructed to make a payment or change stored account details.
  • Continuous Attack:
    Even if the attacker fails with an individual person, the attack is not necessarily over. Often, small pieces of information are unintentionally revealed during individual attempts, which can be useful for the attacker in subsequent attempts. The information gathered can become so detailed that the attacker can build a convincing story.

Phishing E-mails and Spear Phishing

Instead of making the effort to gather a lot of information about a target through individual phone calls or e-mails, an attacker can simply send a large number of impersonal e-mails. Such mass sent phishing e-mails. These are often recognisable as attack attempts to the trained eye, especially when recipients are aware of phishing risks. Typical characteristics of phishing e-mails include:

  • Many spelling errors.
  • The sender's name does not match the sender's domain.
  • The sender's domain is oddly constructed.
  • The e-mail contains suspicious attachments (e.g., executable files like .exe, .scr, or outdated Word file formats).
  • The e-mail comes from an unknown sender and has an irrelevant subject matter.

Attackers only need a small percentage of recipients to fall for the e-mail. With thousands of e-mails sent, even one person clicking on the supposed parcel status link, downloading the supposed invoice, or changing the supposedly outdated password is enough. These mass e-mails are relatively easy to recognise. Spear phishing on the other hand, which is a type of targeted attack, is far more challenging to prevent. Information is gathered and sent to specific individuals. This approach requires more effort but offers attackers higher success rates. Even these attacks can be automated. For example, when a company registers a trademark, the registration with the company name and trademark is published. Attackers exploit this in practice by contacting the registering companies and posing as trademark office employees, claiming to be following up on a supposed registration fee or try to trick the target into clicking on harmful links or attachments.

Assessment and Countermeasures

The practical danger and relevance of social engineering is highlighted by the fact that the Federal Office for Information Security has included social engineering as one of 47 threats in its catalogue of fundamental threats.

In addition to technical measures, organisational measures are essential for protection against social engineering attacks. It is particularly advisable for companies and authorities to regularly raise their employees' awareness of the dangers of social engineering.

We are happy to support you in planning appropriate measures. With our eLearning courses from DSN train, you can educate your employees on information security through courses such as:

Our consultants can also assist you in planning further awareness measures, such as implementing phishing simulations or conducting webinars and on-site training.

You can find more interesting examples of various attack scenarios in our datenschutz notizen here for social engineering and here for phishing.

If you have any questions, please feel free to contact us.