Social engineering: When People Become a Risk

Social Engineering: Definition:

The term “social engineering” refers to the targeted manipulation of people. The attackers use characteristics such as helpfulness, trust and fear of authorities to trick victims into switching off security measures or disclosing sensitive information. Social engineering comes in many different forms and the attackers are becoming more and more creative and, above all, better.

Social Engineering: Humans Quickly Become Weak Points

An email from the manager asking for a money transfer. An unexpected win in a contest on a social network. An email with a super bargain offer. An SMS from the IT department asking for the password for the merchandise management system. Social engineering comes in many different forms and the attackers are becoming more and more creative and, above all, better. We’ve put together an overview of the common tricks used by scammers for you:

Phishing

One of the most well-known forms of social engineering is the phishing email. They usually come from a supposedly trustworthy source (e.g. from a supervisor or from a bank) and aim to get the recipient to click on a link that leads to a fake website. The target is then asked to enter access data that the attackers want to capture. Malware can also hide in documents attached to such emails.

One of the most common phishing attacks is the so-called “fake president trick”. We tell you what this kind of attack can look like in this video:

Pretexting Attack

In a pretexting attack, the attackers feign untrue facts in order to trick their victims into revealing login data or granting access to sensitive systems. The scammers often pretend to be employees in the IT department who need access data to fix a problem in an IT program or IT system.

Spear Phishing Attack

With spear phishing, cybercriminals use information tailored to the target person to gain their trust and appear particularly authentic. The information is collected in advance from the victim’s social media channels and supplemented with further information from the Internet and other sources. This extensive research ensures higher success rates and often leads the victim to disclose sensitive data, since the perpetrators can conceal their true identity through the comprehensive information. The attackers try to build common ground with the target, which creates sympathy and trust.

Physical Attack

If you’re thinking that attacks only happen over the phone and the Internet, you’re mistaken. Cybercriminals also use physical attacks to gain access to companies. One example of this is leaving a USB stick left in the company car park. The USB stick is loaded with malware and placed in a location where it can be easily found. When an employee finds the USB stick, they may want to find out what is on it. As soon as the USB stick is connected to the PC, the malware installs itself on the computer and secretly collects information or encrypts important data in the system.

The cybercriminals occasionally also appear at the “crime scene” themselves. Disguised as technicians, employees or service providers, they gain access to the business or server rooms in order to steal information and sensitive data. Or they borrow a phone or computer from employees in order to secretly place malware on it.

Cybercrime: Studies Show Steep Increases

No matter what studies on cybercrime have been published in recent years, they all paint the same picture: Cyber attacks are on the rise and are now one of the greatest business risks.  A study by the General Association of the German Insurance Industry (GDV) from 2020 showed how lax some small and medium-sized companies deal with sensitive data: An analysis tool was used to search for data from 1019 companies with fewer than 250 employees and annual sales of no more than 50 million euros on the dark web. The tool found what it was looking for in over 543 of the companies (53 percent) – email addresses in particular with the associated passwords were stored in the dark web.

The German Federal Office for Information Security (BSI) also confirmed that cybercrime is continuing to increase, citing a 22 percent increase in cybercrime in its report for 2021 compared to the previous year. Since the start of the Ukraine war, experts have repeatedly warned of an increased risk from cyber attacks. A study by Bitkom already showed in 2020/2021 that nine out of ten companies (88 percent) – regardless of their size – have been affected by cyber attacks.

Cybercrime: Increased Risk, but Not for Me?

According to a survey by GDV, 76 percent of companies see a high risk of cybercrime for medium-sized companies – but only 34 percent rate the risk for their own business as very high. Unfortunately, the notion that “We’re just a small company, so cybercriminals aren’t interested in us” is a dangerous fallacy. Just like the assumption that your own business is already sufficiently protected. Because – to come back to the first study by the GDV: Do you know how employee data ended up on the dark web? Through carelessness and inadequate security controls on the part of companies.

For example, many employees use their company email address to register in online shops, social media or gaming websites. If these sites are hacked, the email addresses and passwords can end up on the dark web. But it gets even worse: The study also found that some employees used their work email addresses to sign up for dating and porn sites. The problem: The private use of professional email addresses is forbidden in only a few companies. Most of them don’t actually have a policy. Email is still the most popular way for cybercriminals to gain access to companies. They rely on employees to click on harmful links or open attachments.

Social Engineering: Practical Examples

The following examples also show that social engineering attacks can happen to practically any company – regardless of size or industry.

Call from a Fake CEO: 220,000 Euros in Damage

The methods used by cybercriminals are becoming more and more sophisticated, as illustrated by the example of a British energy company: In this case, a CEO in Great Britain got a call from the (alleged) CEO of the German parent company, who asked him to transfer 220,000 euros to a supplier company. He claimed the money would be reimbursed shortly by the parent company. The reasoning? The alleged boss of the German parent company wanted to commission the transfer himself, but since it was already after 4 p.m. in Germany, the money would not reach the recipient until Monday.

Due to the time difference, it was still before 4 p.m. in Great Britain and the transfer would be processed in time. The curious part of the story: Although the subsidiary's CEO had heard about this type of phone scam, he fell for it anyway. On the one hand because the reason for the transfer was plausible, and on the other hand because the fraudsters used an AI (Artificial Intelligence) supported program that imitated the voice of the German CEO almost perfectly. The CEO of the UK subsidiary thought he was actually speaking to his German manager and transferred the money as requested. The fraud was noticed later, but the 220,000 euros were already gone.

A Real exali Damage Event: Fake CEO Stole more than 3,000 Euros

An employee of an app developer insured through exali also fell for cybercriminals. In this case, the alleged boss called and instructed the employee to buy vouchers and gift cards worth 3,000 euros. By the time the real boss found out about it, the damage was irreversible. You can read more about the case in this article:  Fake CEO Steals More Than 3,000 Euros

Here is how to protect yourself and your employees from social engineering

When it comes to the security of sensitive data and defending against malware, many companies are already investing in strong IT infrastructure, anti-virus software and security measures. We’ve put together an overview for you so you can reduce the risk of social engineering attacks:

Employee Training

Your best defence against social engineering attacks is alert employees. That’s why it’s worth

• training your employees and making them aware of social engineering attacks.
• Create awareness of how quickly data in private or professional social networks can fall into the wrong hands and that sharing confidential information about work or employers is not a good idea.
• Introduce internal control mechanisms – this could be, for example, a changing code word that employees can use to verify themselves.
• Introduce clear rules for dealing with people from outside the company, such as consultation with the departments.

Clear Rules on Payments and Data

Establishing clear regulations on the following points is almost as important as training your employees:

• Which people in the company are authorised to approve payments. Make sure that transfers are only possible with the “four eyes principle”.
• Which people have access to which IT systems, programs or online platforms.
• What are the rules for dealing with business email addresses (e.g. no registration in portals that are used for private purposes).

Make sure that all your employees are aware of these policies and changes to them and also update employees in regular training courses.

Careful Handling of Emails

Do not open your emails lightly, as they can often be loaded with malware. Use the 3 second rule to reduce the risk. Take a moment and check the name and address of the sender. Also check whether the subject makes sense and whether there are any spelling mistakes. You should be particularly critical of attachments. Consider whether you are expecting an attachment, whether the file name and file format are correct and whether the size of the file fits the supposed content. Also, never give out account details, login details and/or passwords over the phone or email. Banks and other reputable business partners will never ask you to divulge passwords and access data over the phone or by email.

Responsible Use of Social Media

Handle data in social networks responsibly – both your private and company data. Cybercriminals conduct extensive research on the internet before launching their attacks, which gives them important information that they can use in targeted attacks.

Cybercriminals Are Becoming More and More Sophisticated – so is exali's Protection

Trained employees and strong IT infrastructure are effective mechanisms to protect against cybercriminals. But the attackers never sleep and constantly find new loopholes to gain unauthorised access to company data. And even the most cautious employees can’t spot all the fraud attempts. That’s why it’s all the more important to protect your business comprehensively from the consequences of increasing cybercrime.

With Professional Indemnity Insurance from exali, your company or your work as a freelancer is well insured. Damage to trust caused by your own employees (e.g. reaching into the company coffers) and damage caused by social engineering (e.g. erroneous transfer due to attempted fraud) are also insured without additional charges. You can also optionally expand your Professional Indemnity Insurance with various add-ons tailored to your business.

With First-party Cyber and Data Risks Insurance  (FPC), you can protect your business from the incalculable risks of cybercrime. For example, the insurer covers the costs of cleaning up and restoring your IT systems, PR crisis advice, and provides you with specialised lawyers. Do you have any questions? Then give us a call! At exali, there is no queue and no call centre. Our customer advisors are happy to help you – by phone from Monday to Friday 9:00 a.m. to 6:00 p.m. (CET) on + 49 (0) 821 - 80 99 46-0 or via our contact form.