Social engineering

What is social engineering?

Social engineering is a method used by attackers to manipulate people in order to gain access to confidential data. They do not use technical vulnerabilities, but instead rely on psychological tricks.

Attackers often pretend to be employees, managers, IT support or external service providers. They make contact via email, telephone, text messages or social media. In most cases, the messages or requests appear credible – which is precisely what makes them so dangerous.

The goal is almost always the same: access to sensitive information, such as passwords, access data or protected systems.

What methods are there?

Phishing attacks are a widespread method of attack. This involves sending fake emails that look deceptively genuine. They ask recipients to click on a link or enter their details. The message often comes from an apparently known email address.

Spear phishing is even more targeted. Here, personal information is used to make the scam appear particularly credible – such as the name, position or department of the target person.

Other known methods:

• Pretexting: The attacker feigns a reason in order to build trust.
• Vishing: Deception by telephone, usually under a false name.
• Phishing via text messages or social networks.
• Tailgating: An unauthorized person gains access to a building by sneaking in unobtrusively with others.

Some attacks involve particularly critical data – such as personal information, account data or even sensitive personal data such as the Social Security Number.

How do you protect yourself?

Technical protective measures such as firewalls or spam filters are important, but not enough. Effective protection starts with people. Companies should regularly train their teams and familiarize them with typical social engineering attacks.

Suspicious e-mails – especially phishing e-mails – should not be opened. Do not click on links, do not open attachments and never pass on confidential data – either on the phone or by e-mail.

If in doubt, it is better to ask too many questions than to let sensitive data fall into the wrong hands.