You are the firewall
HOW DO I PROTECT MYSELF AGAINST SOCIAL ENGINEERING & PHISHING?
Learn the tricks of the criminal attackers to be prepared against social engineering attacks.
In Germany, every second company was the victim of digital industrial spionage, sabotage or data theft, resulting in damages of around 43 billion euros (source: bitkom). 19% of the attacks fell into the area of social engineering - the targeted manipulation of employees in order to gain access to sensitive information or to place malware on company computers.
IT-Seal's 'Stay altert' Campaign offers you a tool to arm yourself against social engineering attacks: What types of social engineering are there? What is the aim of the attackers? What is the concrete procedure? How do I recognize a phishing e-mail? How do I recognize the target of a link? You will find the answers to these questions here.
Have fun – and stay alert
Basic knowledge of phishing & social engineering. Reading time: 12 minutes
The term Social engineering describes interpersonal techniques for influencing others to achieve a specific goal. If social engineering is combined with negative intentions, it can be used for harmful purposes. Social engineering attacks use everyday social interactions. (e.g. a telephone conversation or an e-mail). The attacker tries to get the target to follow certain requests in order to gain access to information or company networks.
As the protection provided by technical security systems becomes increasingly difficult to bypass, social engineering is gaining popularity: it is often technically impossible to detect such attacks. It is therefore essential that every employee pays attention to the topic of IT security and is aware of possible threats.
If social engineering attacks are successful, then this is usually not due to intentional malicious behavior by employees. Attackers use various psychological tricks and social norms to create situations that are not perceived as dangerous at first. The following table lists various human behavior patterns and illustrates how these are exploited in social engineering attacks.
Prejudices / Expectations
A technician requests access to the server room.
Access is of course granted.
The clothing of the technician is a prop and criminals can access sensitive data undisturbed.
While being on vacation the boss instructs an urgent payment to a new partner company.
The instruction is quickly followed.
Criminals have exploited publicly available information in order to impersonate the boss as realistically as possible ('CEO-Fraud').
You find a USB stick in the car park. Who does it belong to?
The USB stick is plugged in to identify the owner.
The USB stick contains malware that (unnoticeably) infects the computer and the system.
Like every morning, you're going to answer your e-mails
... and click on the link in a well-made phishing e-mail.
The link leads to a malicious website, which infects your computer with malware
A note from Amazon pops up in your mailbox: If you do not verify your account within a few days, a processing fee will be charged.
You verify your account by entering your login information on a cloned login page.
Criminals have your credentials and thus have access to your account.
|Willingness to help|
An alleged colleague contacts you by e-mail about a problem and sends you a file attachment.
The file is opened - maybe you can help your colleague.
The file contains malware that (unnoticeably) infects the computer and the system.
The term Phishing is derived from the English word fishing and refers to an attempt to scam, usually by e-mail. Figuratively speaking, it is about fishing for passwords, whereby personal data is misused or the owner of a bank account is harmed. In addition, spy software, encryption trojans or other files harmful to the computer system are often sent.
For example, you receive a real-looking e-mail from a well-known company (Amazon, PayPal, Google, etc.), or even from your own colleague or boss. For targeted phishing attacks (spear phishing) attackers often collect useful information in advance on social networks, job portals or the company website in order to make the attack scenario as realistic as possible. Phishing e-mails often request that login data be updated, important payments be made or credit card information be entered. They also increasingly contain malicious files or lead to automatic downloads of malware via attached links.
Loss of login data
During the 2016 US election campaign, attackers gained access to the email account of Hillary Clinton's campaign manager with a deceptively genuine account warning from Google. The information obtained caused massive damage to the presidential candidate.
Transfers to unknown third parties
The German automotive supplier Leoni AG was relieved of 40 million euros in 2016 by criminals repeatedly attacking with the so called 'CEO-Fraud'.
Failure of IT systems
Using encryption trojans, entire companies or public institutions can be paralysed for days or weeks. The poison of choice is ransomware (i.e. the encryption is linked to a ransom demand), such as Locky, WannaCry or GoldenEye. In 2016, the IT department of the Lukas Hospital in Neuss became the victim of a ransomware attack. As a result, operations had to be postponed and emergencies rejected.
Loss of data
According to IBM Security, in 2016, over four billion records were stolen.
After encrypting the data on the computer and the system, cyber criminals then demand a ransom - if no backups have been made, the data will otherwise be lost and systems will not be usable. And also the import of backups costs time and money and demands valuable working time from colleagues.
It is generally and publicly known that a large number of foreign states are actively and constantly engaged in industrial espionage. They hire professional hacker groups to carry out targeted cyber attacks on a daily basis. Attacks range from the placement of spy software to the use of malware.
Successful attacks can lead to the failure of entire systems. In 2014, for example, a blast furnace in Germany was severely damaged because malicious software infiltrated the furnace and prevented it from being shut down properly.
Breaches of data protection
Phishing attacks lead to major data protection violations on a daily basis. Identity theft is just one example, along with the disclosure of sensitive company data, passwords or internal documents.
The most important rule is to always be sceptical and vigilant. If a message appears suspicious, the sender should be contacted directly via a known route. In most cases, a short phone call or an inquiry in the internal short message service is enough. There are no stupid questions:
if ten false alarms help to prevent an attack, it saves the resources of the IT department.
Sometimes phishing e-mails are already conspicuous by their sender as fake: Attackers use sender addresses such as @amazon-shipping instead of @amazon.com . @it-seal.com-index.com instead of @it-seal.deto feign legitimacy. However, in most cases, the sender address of an e-mail is as easy to fake as that of a letter - therefore even a supposedly legitimate sender offers no security!
The following points often indicate that the message is fraudulent:
Unusual writing style, deceptive subject, grammar and spelling errors
|Doesn't the colleague uaslly write more open and loose? Be skeptical!|
Sometimes fake e-mails are conspicuous by grammatical errors or nonsensical words, as the messages are often sent with an online translation service.
Missing name / unusual address
A bank or partner company would never address you as 'Dear Mr Customer'.
Urgent need for action is generated
You are asked to act quickly - sometimes this is even combined with a threat. This is where you should become suspicious. Get a second opinion from a colleague or call the sender directly and ask.
Request to enter data
Passwords, PINs and TANs are never requested via phone from colleagues, your favourite online store or a bank; this is one of the most important security rules.
Prompt to open a file / activate the edit mode
You should never download or open files in unexpected emails, as they may contain malware and infect your computer.
Inserted HTML-links or forms
Hyperlinks should always be checked before they are clicked. In doing so, pay close attention to where the link refers to. For a detailed explanation of how to check the destination of a link, see the next section.
Hyperlinks are parts of text which, when clicked, refer to the linked target. This is usually a website. While in some phishing e-mails parts of the text are linked (e.g. '... find '), others display the link as a whole.
Analyse the link target in detail: The relevant part of a link can be found in the so-called 'Who-Area'. If you read from http(s):// to the next ''/", it is located around the last point before the '/'. The rest of the link is completely negligible. In the following examples the Who-Area is marked bold.
Safe example: https://www.google.com/services refers to google.com.
Phishing example: https://www.google.com.myaccounts.biz/services refers to myaccounts.biz.
Have a look at the following links and pay attention to the Who-Section: Which links are real and which are fake?
Phishing attacks work especially well if they are designed as realistically as possible. In order to do this, the attacker needs information about his target person. With so-called spear phishing criminals use publicly visible data on social media such as Facebook or Instagram, on job portals such as Xing or LinkedIn, on news sites or on the company website. Therefore the first and most important recommendation is data minimization. Check what information you share with whom. Especially your contacts, the position in the company or interests. For example, configure your privacy settings on Xing so that your contacts are not publicly visible.
Furthermore, regular updates are essential, for example to prevent attacks via browser or plug-in vulnerabilities. Outdated versions may contain security gaps that make it very easy for attackers to infect your computer. For many operating systems, updates are only installed on restart. Therefore, do not only switch your computer to stand-by, but regularly switch it off completely.
In the past, the browser plugin Adobe Flash Player has repeatedly attracted attention due to security vulnerabilities. It is required to display certain content on websites. In various attacks, computers were infected unnoticed simply by visiting a website. You should deactivate the Flash Player by default, so that it will only be executed after your consent.
Listen to your gut! There are often small discrepancies in a phishing e-mail, which can easily be overlooked in stress situations or due to automatisms. As soon as even a small question mark appears, check the e-mail more closely. You have learned to recognize fake links. You can check file attachments before opening them with the help of your virus scanner. To do this, download the file and right-click on it to select the correct option. Particular care should be taken with MS Office documents with macros (e.g. docm). These can download malicious code as soon as the macros are activated and are usually not detected by virus scanners. Therefore, only activate macros if the origin of the document is absolutely trustworthy. .zip files are frequently used by criminals. In this case, even opening it can result in the execution of malware. If you are not sure: Just ask. The sender, the IT department or colleagues.
We recommend the five-minute „educational video about online fraud - detecting and averting dangers„.
License: CC BY_SA 4.0: https://creativecommons.org/licenses/by-sa/4.0, video only available in German
A film by: Design & Animation MotionEnsemble, idea / koncept: Prof. Dr. Melanie Volkamer (secuso.org) & Alexander Lehmann (alexanderlehmann.net), Stimme Florian Maerlender (www.maerlender.eu)
If you feel that you have been tricked by a phishing attack, you should react quickly. The longer you wait, the greater the potential damage. The right reaction depends on the type of error.
If you have passed on your password by entering it on a fake login page, you should change the password immediately or block your account .
If you may have downloaded malware, immediately disconnect the network cable and the disconnect the computer from the W-LAN.
In any case, you should immediately inform the IT department about the incident.
People are increasingly in the focus of attacks by cyber criminals as they are a weak point, because they can represent the biggest security gap in an organization. Trained employees however offer great potential for achieving a high level of security. This is why it is so important that every employee is aware of phishing, so that he or she can safely recognize these kind of attacks and knows how to behave professionally.
- The free learning concept NoPhish enables you to easily learn the basics of how to detect a phishing e-mail. It is available as an online platform as well as an iOS and Android app. You can find more information in our blog entry about NoPhish. NoPhish was developed by SECUSO, a research group of the KIT.
- PassSec+ for Mozilla Firefox recognizes unencrypted web pages and warns you when entering login data. PassSec+ helps protecting against many attacks in which login data is to be tapped. It was developed by SECUSO, a research group of the KIT.
- If you feel like there is something off: www.virustotal.com lets you check URLs so you can safely click or ignore the link in question. Files can be checked as well - but be careful which files you upload, there might be sensible information in your file.
- Use different passwords for different accounts and change them regularly - otherwise potential attackers will have access to all your accounts. A Password manager like KeePass can help you to keep an overview: With it you only need to remember one master password.
IT-Seal (Social Engineering Analysis Labs) is a team of IT security experts for social engineering and phishing prevention. We help companies and their employees to reduce the dangers and damage caused by social engineering attacks to a minimum. To achieve that we carry out respectful attack simulations. By doing so, we can measure the security standard of the company and all participants learn to deal with cyber attacks in a secure environment. The simulation of attacks is done mostly via e-mail and includes different levels of difficulty. The privancy of the participating employees is always a high priority for us. In our phishing evaluations we only report on group-related behaviour - individual behaviour is never communicated at any time.
We pursue a full service concept and rely on non-invasive training: Participants who can already reliably detect phishing attacks are not disturbed in their everyday work. However, if an employee clicks on one of our phishing e-mails, he or she is shown directly how he or she could have exposed it as such by using the e-mail as an example.
That sounds interesting? Test our free phishing simulation: As a participant in our demo you will receive four phishing e-mails within two working days. If you click (by mistake or out of curiosity) on a link contained in the emails, you will be taken to our explanation page.
- Security Awareness made measurable with our ESI®: The Employee Security Index is a scientific benchmark for measuring the IT security awareness in companies. It also enables comparability. Which department or industry is sensitized in which way? Where are measures still needed? The ESI®, an indicator of information security, makes this transparent.
- Defence against spear phishing by criminals: In order to sensitize employees for attacks by cyber criminals in the best possible way, we customize the mails in our simulation to these criminals by using largely personalized addressing and relying on authentic content. We want employees to be able to train for an emergency with realistic and trustworthy messages. We do not practice generic "mass phishing".
- Our co-founder and creative mind, David Kelm, is an accomplished social engineering expert: David Kelm has been working on social engineering (employee manipulation by criminals) since 2012. Kelm won the "Best Student Award" of the German Federal Office for Information Security (BSI) for his scientific insights into the "human factor" in IT security. He is convinced that employees can become with the right learning approach the "human firewall" of their company - instead of endangering security.
- Our work is based on scientific research: Our measures for the sensitization of employees against spear phishing as well as their success measurement are based on successful research. With David Kelm, our start-up, which is a spin-off of the TU-Darmstadt, also has a well-versed expert in social engineering, especially spear phishing, at its head.
- Data protection and employee convenience go hand in hand: Since we want to sensitize employees but not to malign them, we make sure that they always remain anonymous in the evaluation. We only evaluate the success of our measures on a group basis and our data processing is of course in compliance with the GDPR.
- Made in Germany: IT-Seal is a German company that specialises mainly in the German market. Business customers based here therefore receive GDPR-compliant services from us, which also comply with the legal provisions applicable here in other respects. Already during the development of our solutions, we place the focus on employee and data protection ("security & privacy by design").
- The first local cyber security campaign in Germany: With "Stay alert, Darmstadt!" we have launched an unprecedented initiative with the "City of Science" Darmstadt and the Digital City Darmstadt, which offers citizens free IT security training and sensitizes them to phishing.
- Multiple awards: We have won the following prizes for our measures to increase the awareness of employees and our ideas for measuring and comparing these measures:
– 1st place in the pan-European social engineering competition @TREsPASS_Project
– Top 10 of the best Cyber Security Startups in Europe @SBA_Research
– "Best Student Award" of the Federal Office for Information Security (prize winner: our co-founder and creative mind) David Kelm