What is social engineering - and why is it so successful?
The term social engineering describes interpersonal techniques for influencing others with the help of which a certain goal is to be achieved. If social engineering is associated with a negative intention, it can also be used for harmful purposes. In the case of social engineering attacks, everyday social interactions (e. g. a telephone call or an email) are used. The attacker tries to get the target to follow certain requests and gain access to information or company networks. As it is becoming increasingly difficult to circumvent protection by technical security systems, social engineering is gaining popularity: it is often technically impossible to detect such attacks. Therefore, it is essential that every employee pays attention to IT security and is aware of possible threats. If social engineering attacks are successful, this is usually not due to deliberate malicious behavior on the part of employees. Attackers use various psychological tricks and social norms to create situations that are not perceived as dangerous at first glance. The following table lists different human behavior patterns and illustrates how they are exploited in social engineering attacks.
A technician requests access to the server room.
Admission is of course granted.
The technician's clothing comes from the costume box, criminals can access sensitive data.
The boss is on vacation. She instructs an urgent payment to a new partner company.
The instruction is followed quickly.
Criminals have used publicly available information to simulate her identity as realistically as possible ("CEO fraud").
You find a USB stick in the parking lot. Who do you think it belongs to?
The USB stick is inserted into the computer in order to identify the owner.
The USB stick contains malicious software that (unnoticed) infects the computer and the system.
Like every morning you are answering your e-mails....
... and click on the link in a well-written phishing email.
The link leads to a criminal fake website and automatically downloads malware.
You find an email from Amazon in your inbox: If you do not verify your account within a few days, a processing fee will be due.
You verify your account - but use a cloned login page without noticing it.
Criminals have your credentials to access your account.
An alleged acquaintance of a colleague contacts you by email about a problem and sends an attachment.
The file is opened - maybe you know what to do.
The file contains malware that infects the computer and the system.
In combination with time pressure and the call to secrecy, criminals often quickly reach their targets using these behavioural patterns.
What is phishing and what are possible consequences?
The term phishing is based on the English word fishing and refers to an attempt to defraud, which is usually carried out by email. Metaphorically speaking, it is a question of fishing for passwords, which is supposed to misuse personal data or harm the owner of a bank account. In addition, spyware, encryptionstrojans or other files that are harmful to the computer system are often sent. For example, you will receive a real-looking email from a well-known company (Amazon, PayPal, Google, etc.), or even from your own colleague or boss. For targeted phishing attacks (spear phishing), perpetrators often gather useful information in advance on social networks, job portals or the company website in order to make the attack scenario as realistic as possible. Phishing emails often require you to update login information, make important payments or enter credit card information. They also contain often harmful files or automatically downloaded malicious software via attached links.
Falling for a phishing email can have far-reaching consequences. The following list gives some examples of how individuals and especially companies have been harmed by phishing.
During the U. S. election campaign in 2016, attackers gained access to the email account of Hillary Clinton's campaign manager with a deceptively real account warning from Google. The information thus obtained severely harmed the presidential candidate.
Money transfer to criminal attackers
In 2016, criminals have stolen 40 million euros from the German automotive supplier Leoni AG by attempting CEO fraud in several rounds.
Entire companies or public institutions can be paralyzed for days and weeks by means of encryptionstrojans. Often it is ransomware (i. e. the encryption is associated with a ransom request), such as Locky, WannaCry or GoldenEye. In 2016, the IT system of a German hospital became the victim of a ransomware attack. As a result, operations had to be postponed and emergencies rejected.
According to IBM Security, more than four billion records were captured in 2016 alone.
Demand for ransom payments
After encrypting the data on the computer and the system, cybercriminals then demand a ransom request - otherwise, if no backups have been carried out, the data is lost and systems cannot be used. The recovering of backups also costs time and money and demands valuable working time from colleagues.
It is publicly known that a large number of foreign states are actively and constantly engaged in industrial espionage. They hire professional hacker groups to carry out targeted cyber attacks on a daily basis. Attacks range from spyware placement to malware deployment.
Successful attacks can lead to the failure of entire plants. In Germany, for example, a blast furnace was severely damaged in 2014, as infiltrated malware prevented it from being shut down properly.
Violation of data privacy
Phishing attacks lead to serious breaches of data protection. Identity theft is just one example, apart from passing on sensitive company data, passwords or internal documents.
In the following, we will show you various ways in which you can protect yourself and your company against phishing and social engineering attacks.
How do I recognize a phishing email?
The most important rule is to always be sceptical and vigilant. If a message appears suspicious, the sender should be addressed directly via a known route. In most cases, a short call or an inquiry in the internal short messaging service is sufficient. There is no stupid question: If ten false alarms help to prevent an attack, this saves the IT department a lot of time and trouble.
Sometimes, phishing emails are already known to be fake by their sender address: Attackers use sender addresses such as @amazon-versand. de instead of @amazon. de or @it-seal.de-index. de instead of @it-seal. de to fake legitimacy. However, in most cases the sender's address of an email is as easy to forge as that of a letter - even an allegedly legitimate sender offers no security!
The following points often indicate that the message is a fraud:
Unusual writing style, deceptive subject, grammar and spelling mistakes
Doesn't this colleague usually write more openly and looser? Be skeptical!
In some cases, fake emails contain grammatical errors or nonsensical words, as the messages are often translated online.
Missing name / unusual address
A bank or a partner company would never address you with "Dear customer".
Urgent need for action is created
You are asked to act quickly - sometimes even threatened. Get a second opinion from a colleague or call the sender directly and ask.
Request for input of credentials
Passwords, PINs and TANs are never requested by phone from colleagues, your online mail order company or a bank; this is one of the most important security rules.
Prompt to open a file / activate editing mode
Do not download or open files in unexpected emails, as they may contain malware and infect your computer.
Inserted HTML links or forms
Hyperlinks should always be checked before clicking on them. It is important to pay attention to where the link leads to. For a detailed explanation of how to verify the destination of a link, see the next section.
How do I recognize a fake link?
Hyperlinks are parts of text that are a reference to the associated target when you click on them. This is usually a website. While in some phishing emails parts of the text are hyperlinked (e. g."... please click here
."), a complete link is often also shown. However, both elements may have a different link target. To recognize the target, hover the mouse over the link without clicking. Now the real destination is displayed in the window of the respective program at the bottom left or under the mouse. On mobile devices, the real target becomes visible when the link is held for two seconds.
Examine the link target in detail: The relevant part of a link can be found in the so-called "base domain
". If you read from the http(s): // to the next "/", it is located around the last point in front of the "/". The rest of the link is completely negligible. In the following examples, the base domain is highlighted in bold.
Secure example: https://www.google.de/services
leads on google. de.
Phishing example: https://www.google.de.myaccounts.biz/services
leads to myaccounts.biz.
Have a look at the following links and pay attention to the base domain: Which links are genuine and which ones fake?
If you are unsure about the target of a link, you can have it checked on www.virustotal.com
to find out the solution - but make sure to check the link before you click!
How can I protect myself?
Phishing attacks work particularly well if they are designed to be as realistic as possible. To do this, the attacker needs information about his target. In spear phishing, criminals use publicly accessible data on social media such as Facebook or Instagram, on job portals such as Xing or Linkedin, on news sites or on the company's website. Therefore, the first and most important recommendation is: data economy. Check which information you disclose to whom. Particularly interesting are contacts, the position in the company or interests. For example, choose your privacy settings on Xing so that your contacts are not publicly visible.
In addition, regular updates are unavoidable in order to prevent attacks via browser or plug-in vulnerabilities, for example. In outdated versions, security holes can exist that make it very easy for attackers to infect your computer. Many operating systems do not install updates until they are rebooted. Therefore, not only switch your computer to stand-by mode, but also switch it off completely on a regular basis. In the past, the browser plugin Adobe Flash Player has repeatedly attracted attention due to security vulnerabilities. It is needed to display certain content on web pages. In various attacks, computers were infected unnoticed simply by visiting a website. Therefore, select the settings so that Flash Player is disabled by default and will only run after your consent.
Listen to your gut! In a phishing e-mail there are often minor discrepancies that are often overlooked in everyday stress or due to automatisms. As soon as a small question mark appears, check the e-mail in more detail. You've learned to recognize fake links. You can have your virus scanner scan file attachments before opening them. To do so, download the file and select the appropriate option after a right click.
MS Office documents with macros (e. g. .docm) require special caution: These can reload malicious code when activating the macros and are usually not detected by virus scanners. Activate macros only if the source of the document is absolutely trustworthy. Also .zip files are currently frequently used by criminals. Opening it can result in the execution of malware. If you are not sure: ask. The sender, the IT department or your colleague.
What to do if I have fallen for a phishing email?
If you feel you have fallen for a phishing attack, you should react quickly. The longer you wait, the greater the potential damage may be. The correct reaction depends on the situation. If you have passed on your password by entering it on a fake login page, you should change it immediately or have the account blocked. If you may have downloaded malware, you should immediately disconnect the network cable, and disconnect the computer from the wireless network. In any case, you should immediately notify the IT department of the incident.
Why are technical precautions not enough to intercept phishing emails?
Many phishing emails are difficult for virus scanners and firewalls to recognize as such, since they often do not contain any malicious software as file attachments, but reload them. This is done via an inserted link, which initiates the download of a file by clicking on a so-called "drive-by download" without further action. Attacks such as CEO fraud can even manage without any malware: The payment order demanded by an alleged member of the management consists of pure text and is therefore impossible to recognize technically.
As a result, cybercriminals increasingly focus on the employee as a weak point in their attack, because it can be the biggest security vulnerability of an organization. However, if she is equipped, it also offers great potential to achieve a high level of safety. That's why it's so important that every employee is sensitized to the topic of phishing, recognizes attacks of this kind and knows how to behave professionally.
For this purpose, IT-Seal GmbH offers the Phishing Academy
as an opportunity to conduct a phishing awareness training in the company. On the one hand, this measures the security standard against social engineering attacks in the company, and on the other hand it enables the knowledge and security awareness of employees to be brought up to date. With every "wrong" click on our phishing emails, all participants are shown a so-called teachable moment to recognize and handle phishing attacks in a professional manner.
What antiphishing tools are recommended by IT-Seal?
We recommend the following tools to both home and business users:
With the free learning concept NoPhish
, the basic rules of phishing recognition can be learned in a playful way. It is available as an online platform as well as an iOS and Android app. You can find more information in our blog entry about NoPhish
. NoPhish has been developed by SECUSO
, a research group at KIT.
If you are using Thunderbird as your email client, you can download the Torpedo
add-on. This tool helps you detect malicious links. We have also published a blog entry on Torpedo
. Torpedo has been developed by SECUSO
, a research group at KIT.
- PassSec+ for Mozilla Firefox detects unencrypted web pages and warns you when you enter login data. You are thus protected against many attacks where login data is to be accessed. PassSec+ has been developed by SECUSO, a research group at KIT.
- If your gut instinct warns you: On www.virustotal.com you can check links if you are not sure about the link target. You can also check files, but please keep in mind data privacy if applicable.
- Use different passwords for different customers and change them regularly - otherwise potential attackers will have access everywhere in the worst case scenario. A password manager (e.g. KeePass) can help you keep track of your password: This means that you only need to remember a single master password.
What exactly does IT-Seal do?
Behind IT-Seal (Social Engineering Analysis Labs) are IT security experts for social engineering and phishing prevention. We help companies and their employees to minimize the dangers and damage caused by social engineering attacks. Respectful attack simulations are carried out for this purpose. On the one hand, this makes it possible to measure the company's security standards and on the other hand, all participants learn how to deal with cyber attacks in a secure environment. The simulation of attacks is usually done by e-mail and includes different degrees of difficulty. The data protection of the participating employees is our top priority. In our phishing analyses we only report on group-related behavior - individual behavior is never communicated at any time.
We pursue a full service concept and focus on non-invasive training: Participants who are already able to detect phishing attacks reliably will not be disturbed in their daily work routine. However, if an employee clicks on one of our phishing emails, we show them how he could have revealed it as such, using the example of this exact email.
Sounds interesting? Try our free phishing simulation: As a participant in our demo you will receive four phishing e-mails within two working days. If you click on a link (inadvertently or out of curiosity), you will be forwarded to the IT-Seal explanation page.
The demo is currently only available in German. Thank you for your understanding.
Why do we make the difference?
We leave a mark. It has been scientifically proven that our approach of "experiencing instead of listening" is at the forefront of learning methods. We attach great importance to the fact that learning content is taught at exactly the right time in order to achieve a particularly lasting learning effect.
We involve everyone: All participating employees experience an ascertainable and continuous learning success.
We offer a full service. No effort is required from the corporate side, and your IT department can concentrate on its core business.
We make safety measurable. How is the safety awareness of your employees and colleagues in everyday life? This is a very important but very difficult question for any IT security officer. We offer a precise recording of the real security behavior across all departments, hierarchies and even national borders.
Our concept is non-invasive. Since we send our phishing emails in the normal course of your daily work, the phishing simulations are not invasive for business processes. Employees are not disturbed, but only receive training when their behavior implies a potential risk. The participant learns in an interactive explanation how he could have recognized the email as a phishing attack.
Do you have any questions? We look forward to hearing from you!