28th April 2021
28th April 2021
Computer systems today are mostly very well protected by technical measures. So, social engineering is now often used to get into a system or get data. This is one of the most successful ways to attack alongside hacking and spreading malware. Attempts are often made to fraudulently obtain credit card information or access data or to gain access to systems.
Social engineering (social manipulation) is an approach that involves taking advantage of the helpfulness, good faith, or insecurity of persons to obtain confidential information or to incite the "victim" to a specific action.
Social engineers spy on their victim's personal environment, fake identities, or exploit behaviors to gain secret information or unpaid services.
Of all the attack methods (malware, hacking) to get into systems or get to data, this one is still one of the most successful.
The danger of social engineering exists in the private life as well as in business. Company employees are particularly attractive targets for obtaining information about the company and for stealing money or data through extortion or fraud.
It is so easy for social engineers to learn more about their potential victims such as their profile, hobbies, future plans or work projects.
You may be wondering where social engineers get their information from.
This information gathering is called Open-Source Intelligence (OSINT).
Open Source Intelligence (OSINT) is data collected from publicly available sources to learn about someone or something. In this sense the term "open" refers to publicly available sources, such as social media (Twitter, Facebook, etc.), company web sites, public facing web servers, newsletters and articles, software and code repositories (like Codechef, Github), public government data and professional and academic publications. A problem with OSINT in practice is the volume of information to be dealt with (“information explosion”).
First, a company is selected about which more information is to be found using social engineering, or whose systems are to be accessed by fraudulent means.
Information about the company can initially be found on the company website. For example, business reports, contact points, employee organization charts or certain product information are published here.
More information can be found in public directories. For example, the location of the offices.
Information can also be found via Google or other search engines. These are, for example, newspaper articles, blog posts, customer reviews or inquiries or publications of a political nature.
A social engineer can find out who works for a company on social networks such as LinkedIn or Xing. Positions and further information can also be determined in this way.
Once the social engineer has decided on a person, further information about the target person can be found on these pages as well as on Facebook, Twitter, and Instagram. What are that person’s interests and hobbies? What is posted about the employer? Which articles and posts are shared? What are the person’s working hours? And much more. All this information can then be used to pressurize or deceive the target to get the information the social engineer wants or to gain access to the system.
Here we present 10 tips on how to react to a social engineering attack, how you can recognize social engineering, and what you can do about it.
Social engineers are usually very friendly and agreeable. By pretending to have company knowledge (supervisor's name, processes, etc.), they work on their “victim” until he or she reveals the information they are looking for. Stand firm and do not give confidential information about yourself or the company to strangers. This also applies if the person gets rude or angry, or if the person appears to be working in the same place as you.
Do not let yourself be persuaded to visit a specific website or install specific software. The website and the software may be infected with malware.
If it is a website that you know, open it using the URL saved in your directory. It is better that you do not open unfamiliar pages. If it is necessary, enter the name of the company or the site on Google or another search engine and select the link there. If you enter an address directly in the URL field, it may be for a page that does not exist in a search engine. If a search engine’s scanners have not checked a page, it may be more likely to be infected by malware.
For all dubious inquiries always make sure of the identity and authority of the inquirer. Find out the reason for the inquiry.
You can do this, for example, by consulting your supervisor or asking the company making the request. Make a note of the contact details (name, telephone number, email, department, etc.) of the person concerned so that you can pass them on. To contact a company, either select the number or email address you have already saved in your address book or do a Google search to get to the website. Do not go to a website to see the contact details. The page could be fake and the contact details as well, so that your request ends up with the social engineer instead of the company you wanted to contact.
NEVER give internal or confidential information (customer and employee data, project information, password, etc.), whether on the phone, by email or by post.
No matter who asks, you should never pass on such information if you are not 100% sure that the other person is really entitled to the information. If you are unsure about this, clarify this with your supervisor in advance. Passwords and access data should NEVER be passed on.
Always pay attention to what information you disclose and where. Only pass on publicly available information about your company to people outside the company. If an internal person or an external project partner requests information, make sure that it is not confidential or secret and that the person is authorized to receive the information.
No reputable service provider will ask for a password and access data. Neither will any reputable system administrator or security specialist.
If you receive calls or emails asking for passwords or access data, hang up or delete them immediately. You should also report the incident to the IT service desk and your manager. These requests are an attempt at social engineering. No service provider needs the access data to run any tests or solve problems, no matter what the situation is. Also, do not access any website that is presented to you (via a link in the email or by phone) to log in. If it is from a provider you know and you want to change your password, for example, go to the link that you have saved in your directory and log in from there.
If a social engineer tries to get information via a phone call, this is known as a "vishing call".
Voice phishing is phone fraud, using social engineering over the telephone system. This is often referred to as “vishing” - a combination of "voice" and “phishing”. With vishing, the attacker may pretend to be a potential or existing partner, a senior company employee, a government official or an IT support team member. Typically, vishing scammers create a sense of urgency, leverage authority, or create a trustworthy persona on the phone – all designed to get the victim to follow the scammer’s directions. The goal is to gain access to confidential information, redirect a payment, or gain control of company computers.
Therefore, as we already said in tips 1 and 4, do not allow yourself to be put under pressure and do not pass on internal and confidential information.
Fraudsters use so-called phishing emails to try to obtain information from their victims. Therefore, pay attention to the following features, so that you can recognize a phishing email:
Do not reply to a phishing email. Report it to the service desk or your supervisor and delete the mail.
Social engineering can also be done through social media. For example, private messages are sent with links to infected websites or posts are posted with links to such sites.
In addition, social engineers can search for information about their victims on social networks. It is therefore important to consider what information you are disclosing about yourself. For example, do you specify your employer and your role? What information can be found about your hobbies? Do you have a public profile or is it blocked for strangers? Also, never include non-public company information on your profile.
Do you still know about USB sticks or external drives? They are not used that often anymore, but it does happen. Malware can also be spread via mobile data carriers. It is therefore also important in this case not to use mobile data carriers from strangers or casual acquaintances. Also, do not connect external data media just to check what is on them.
Probably the most extreme type of social engineering is getting in touch with the victim personally. If a social engineer cannot reach his target person via the other channels, it is possible that personal contact will be made. Trust is gained through feigned friendship or willingness to help. This can happen, for example, through "common interests and hobbies" or through the profession and the company. Use proper judgment in discussions with people you have only met recently and do not pass on business information or allow yourself to be led into action. For example, do not give your mobile phone to anyone else so they can type in a web page to show you something. Make sure that such pages are spelled out for you.
Nobody is immune to social engineering. But you can learn which signs to look out for and how to behave in general regarding the publication of data. The most important thing is not to give any information about passwords and user data. Do not give any internal company information either. Also, always pay attention to what you publish and write online. And do not use any external data media that you have received from strangers or casual colleagues. Do not let yourself be pressured to reveal information. Stand firm and report suspicious calls, emails or conversations to your manager and the IT service desk.
And if you do become a victim of a social engineering attack, change all your passwords immediately and report the incident to your employer so that protective measures can be taken.
We hope that our tips will help you to handle your data securely.