It is two in the morning. The telephone rings: it is a member of your company’s IT department. He warns you that a computer virus has infected the computers in your office and has destroyed the documents of all employees. He urgently needs your username and password to save your documents to a safe place. You are still half asleep when you look at the screen of your phone: the call is actually coming from your company’s number and the caller’s name seems familiar. He also mentions an important project you are working on that only a few insiders are aware of. Do you provide your supposed colleague with the information? After all, it seems urgent and you certainly don’t want to be responsible for a huge data leak (see: protect your data). How would your colleagues react if they received the same call?
Social Engineering is manipulation by deception. We come across social engineering in our everyday lives, e.g. in advertisements, on dating sites or during job interviews. In these specific cases, the ‘canvasser’ tries to behave or sell him or herself to achieve his or her objective.
Unfortunately, the art of manipulation, especially in relation to new media, is often used for unfair purposes. In these cases, human vulnerabilities are exploited. People naturally want to help others and to trust others. In a calculated way (for a prolonged period), scammers build relationships of trust with the target person. At a particular point, the credulity of the victim is exploited to obtain the desired profitable information. This may be money, business secrets, economic advantages or competitive sabotage (see: data classified as important or vital).
In general, anyone can be a victim of social engineering. Wherever there are assets that might be of interest to someone there will be attacks. However, in the workplace, people are particularly exposed. Especially if they are in contact with confidential data. It only needs the most insignificant piece of critical information to escape and go to the criminal and you will be the leak in your company’s security plan without even realising it. Even your family, friends and colleagues can attract the attention of spies. Scammers often successfully try to obtain critical information from third parties.
The following information is highly sensitive and should never be shared with people you have only recently met or do not yet fully trust: professional activity information and personal data such as date of birth, telephone number, email address, etc. Be very careful also with information about third parties, such as colleagues or managers. These people may be being targeted by criminals who are trying to extract information from you about these people.
You should teach your children about ‘personal data’ and how they should handle it.
Remember: scammers get a lot of information in a completely legal way. Companies’ websites often have lists of employees, their position, telephone number, email address and sometimes even their photo. This ‘victim portrait’ is then supplemented using social networks where there is more information about the character, family relations and leisure activities of the person. So always be cautious about publishing data on the Internet and only accept online ‘friends’ who you also know in real life. Make sure your profile is not accessible to ‘friends of friends’.
In general, anyone – private individuals or companies – can be victims of social engineering attacks. It often doesn’t even involve computers or the Internet. A classic example of social engineering is the ‘grandparent’s scam’: e.g. the scammer calls an elderly person on their landline and says the following: ‘Hi Grandma! Guess who it is!’ The scammer’s best-case scenario is that the grandmother gives the name of a grandchild, the caller confirms it and then asks for money or other valuables, claiming that they are in an emergency. The scammer then goes in person to fetch the proceeds, pretending to be a friend of the grandchild.
New technologies offer scammers a host of options for achieving their goals through targeted manipulations and information. A particularly dangerous situation arises when the information of a single person is exploited to gain access to the computer system of an organisation. The attacker can easily pass for a system operator, an IT manager or a system engineer.
Often the attacker is not even in direct contact with the victim. Phishing and spam operate based on the principle of social engineering: the victim receives an email that looks like a message from a trustworthy source with content that matches his/her profile. If the scammer has previously discovered that the targeted person likes wellness treatments (e.g. by spying on the social network profiles of the victim), s/he sends an email with the title: ‘Special offer: 99 euros for a wellness weekend in a luxury hotel’. When the victim opens the email, s/he finds a professional-looking advertisement with a link (‘Click here to view the offer’) – clicking the link immediately installs a Trojan on the victim’s computer.
Even people who are very careful with sensitive information can fall into a social engineering trap.
When they have direct contact (interview) with attackers, people normally do not reveal the target information. But many people, when asked detailed questions that are completely innocuous, end up giving valuable clues without even realising it. This is basically a puzzle: by collecting as much information as possible, the social engineering expert can put together a comprehensive overview. In most cases, the attacker does not even need to spy. Often, those targeted knowingly hand their confidential data over to the scammer on a plate.
On the one hand, our ‘technological negligence’ makes us vulnerable to attack. People lose their overview of the different information about them that is moving around new media environments without them realising. Also, some people may treat their sensitive data carelessly, e.g. posting private information on the Web or not bothering ‘clean’ up their online profiles regularly.
On the other hand, we are only human beings. We are always in search of recognition, flattery, compliments, friendships, etc., and we are generally open to the interest shown in us as individuals. Human virtues such as helpfulness or weaknesses such as vanity are exploited by attackers to manipulate their victims. Most company employees think that the most important thing is to be a good team-worker and be supportive with colleagues. Often at the expense of security.
In spring 2012, a group of psychology students from the University of Luxembourg pretended to be researchers working on a survey in which 1206 passers-by in Esch sur Alzette, Diekirch and Luxembourg were asked about their IT habits. At strategic moments, the participants were offered a box of chocolates. Following a few introductory questions, with the aim of presenting the subject – ‘computer’ – to the study participants, the researchers quickly went on the attack, i.e. to fish for information about their passwords! The results were frightening: 30% of participants aged 12 to 74 did not hesitate to give their password to the researchers and some even entered it on the questionnaire. Many respondents would not reveal their password but they still mentioned elements contained in the password, thus making the hackers’ attacks easier.
This study shows how important it is, not only to implement technical protection measures (password, firewall, antivirus, etc.) but also to encourage caution and scepticism when being asked to disclose personal data.
The same type of information targeting as in this study, conducted in Luxembourg, is found on the Internet, with the same alarming success rates. Many victims have already fallen into the trap used in the test: ‘Check the strength of your password!’ ‘Does your password contain your name or the name of a family member?’ or ‘Does it contain a date that is important to you personally?’ The primary purpose of these questions is to guess your password for dishonest actions rather than to make it safer. When it comes to sensitive information, we must ask ourselves a few questions! Think carefully: is it really necessary to share this information and what risks do sharing this information involve? (See also: Threats to human resources.)
Social engineering can take place indirectly in the form of phishing and spam emails. Phishing emails appear to be sent by a bank or authority and their purpose is to pressurise the recipient to act quickly (‘Your account has been blocked’) so that they enter personal data, such as passwords or credit card numbers. Spam, meanwhile, operates based on the principle of advertising. Scammers try to tempt the target person with a product or advertising content and to incite them to open a link included in the email.
Direct attacks take place, for example, during a telephone conversation and do not need to be particularly complex. They may be nothing more than a plain and simple request for information. An attack may seek to obtain information to be used for an attack on a completely different target. Generally, any request for information made by an unknown person about professional activity, personal details and habits, is suspect.