Social engineering
What is a social engineer?
Social engineers are cybercriminals who exploit human behaviour. They try to trick people into serving their purposes – e.g. allow them access to buildings, systems or data (see https://www.csoonline.com/article/2124681/what-is-social-engineering.html)- by using psychological tactics. They often use computers, email and telephones, but social engineering can also occur in face-to-face situations. Social engineers try to get users to reveal information that can compromise data security. They gather components of information about their target persons or organisations. Then, they put them together for their own criminal intents.
Social engineers often do this by pretending to be someone they are not, for instance other employees, clients, business partners, or members of well-known enterprises, but also as friends or celebrities. The recipients of social engineering attacks are made to believe that they know the person in real world, and can trust her, while in actuality dealing with a social engineer.
Social engineers might also present themselves as strangers, but quickly establish a relationship with their target by starting a casual conversation in person or on the phone.
Social engineers seek to win the trust of their targets by priming, and pretexting; this means that they create a backstory and a scenario that makes them sound trustworthy. With this story, they address human emotions, motivations and tendencies. Like fear – using a voice of authority in mails apparently coming from someone superior. Or empathy and the willingness to help – writing heartbreaking stories of human or animal fate.
Oftentimes, social engineers collect information about the target persons beforehand, in order to tailor their attack to their psychological profile.
In many, but not all cases, social engineers use IT technology and address their attacks to their users. In most instances, social engineering is executed in several steps, combining various techniques, including physical breaches. Social engineering might be initiated in form of physical presence; personal communication; phone calls; e-mails – from fake persons or organizations, or such with spoofed domains, appearing to come from a person or institution you know; and Social Media platforms.
Techniques of social engineering
Social engineering attacks happen in innumerable variations, and a single attack might be composed of several of them (see https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering)
The most common form of social engineering attack is phishing. Phishing is a form of fraud to retrieve sensitive information or win unauthorized access. This might happen via infected email attachments or links to malicious websites; stealing confidential information by persuading victims to send it to the wrong recipient; phone calls; or pop-ups that warn that security software is out of date or that malicious content has been detected on the computer.
But this does not mean that physical breaches are to be underestimated: For example when the social engineer appears at the door and pretends they can’t reach their access card or key to a secure location. Or when she or he follows someone into a secure or restricted area, for instance while claiming to have mislaid their pass (tailgating).
Social engineering might lead to crimes that can be really harmful to you, the healthcare organisation, but also everyone who is in direct contact with the victim.. However, it is possible to prevent a potential social engineer from being successful if the following recommendations are applied:
How to avoid the traps of social engineers
When working from a computer:
- Never send personal information/details unless it’s 100% clear who the receiver is
- Consider whether the receiver needs the sensitive information they ask for
- Check the web address of a website in the browser. Also, does the website use ‘https//’ and/or does it show a lock?
- Look out for security warnings from browsers.
- Check whether emails genuinely come from their stated recipient.
- Trust your gut! Avoid opening suspicious emails or attachments
- Consult and contact persons and the organizations on their homepage or under their official number or mail account, not from a link in an e-Mail
- If in doubt, call your IT or Cybersecurity department.
- Never let a stranger connect to your wireless network
Offline:
- Carefully dispose of printed material
- Don’t give strangers personal information until their identity is verified
Social engineering can be recognized by identifying characteristics such as: Masquerading; creating a false sense of urgency; offers that are too good to be true; or unsolicited communications and contact initiatives from unknown people. Just don’t fall for it.
Author
Sigrid Panovsky
Arbeiter-Samariter-Bund, Austria
Links
https://www.hoxhunt.com/blog/social-engineering/
https://www.globalsign.com/en/blog/how-to-spot-a-fake-website
https://www.csoonline.com/article/3234716/types-of-phishing-attacks-and-how-to-identify-them.html
https://www.hoxhunt.com/blog/what-is-spear-phishing/
https://us.norton.com/internetsecurity-emerging-threats-what-is-smishing.html
https://www.rapid7.com/de/fundamentals/whaling-phishing-attacks/
https://biztechmagazine.com/article/2018/10/cyberattacks-target-c-suite-rise
https://www.hoxhunt.com/blog/a-guide-to-cybersecurity-awareness-training-for-your-employees/
https://arxiv.org/ftp/arxiv/papers/2004/2004.11768.pdf
https://e-journal.unair.ac.id/JAKI/article/view/16061/9986
https://www.networkworld.com/article/2241110/social-engineering–the-basics.html
https://www.contextis.com/en/blog/the-anatomy-of-a-social-engineering-attack
http://changingminds.org/techniques/general/social_engineering.htm
https://www.synopsys.com/glossary/what-is-social-engineering.html
https://www.csoonline.com/article/2124681/what-is-social-engineering.html
https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering
Keywords
Social Engineering, behaviour, trick, fraud, phishing, pretexting