What actually is
She is pretty, single and her messages are as alluring as her blonde hair. And before the recipient of her friend request on Facebook knows it, they are writing a stream of brief, teasing messages to each other. And long, very intimate emails on some days. In fact, it is crazy how much he and his accidental online acquaintance have in common. He feels safe and properly understood for the first time in years, although they never met each other in person. Fate brings some people together – and others are taken in by a fraudster. That is what is called social engineering.
Without the victims giving it a moment’s thought, they disclose confidential information about their work or transfer money to people they actually do not know at all. Social engineering leads people to happily do things they would otherwise never do. Contrary to expectations, however, social engineering is not a motivation technique but a particularly refined form of fraud. We explain what social engineering is, who it can affect and how you can protect yourself against it.
The idea of social engineering originally came from philosophy. Karl Popper coined the term in 1945 and by this was initially referring to sociological and psychological elements for improving social structures. Popper’s principle was mainly based on the assumption that people can be optimised like machinery. In the 1970s, Popper’s successors expanded his theory to include certain types of psychological trickery. However, their initial objective was not data theft – they wanted to urge people towards better interaction and greater health awareness. This indeed involved manipulation – but with a different aim. Today we commonly refer to social engineering as a fraudulent form of subliminal manipulation.
Some hackers focus on targeted psychological manipulation rather than relying on purely technical methods.
Although the methods remain true to their philosophical roots, the social engineers’ motives have changed significantly. Anyone who understands what makes people tick can specifically manipulate them with a little instinct – and a little more criminal intent. Often the fraudsters assume the role of an acquaintance or trusted tradesperson, or they pretend to be from a bank or even the fire brigade. The perpetrators gain trust in this way – and often sensitive data as well.
In short, social engineers try to exploit people for their own ends. One of the best known social engineers is the hacker Kevin Mitnick. Through the sheer number of intrusions into other people’s computers, Mitnick quickly became one of the most wanted people in the United States. He is said to have penetrated some of the best secured networks in the USA hundreds of times; he also allegedly spied on the Department of Defense and even the NSA. In his book “The Art of Deception”, Mitnick writes that social engineering is a significantly faster way of getting the information you want than purely technical methods. Instead of developing spyware, Mitnick programmed the will of his fellow human beings.
In the digital era, fraudsters are also using this tactic on the Internet. Often it all starts with an email, or sometimes a message via a social network. The classic is the phishing email luring people to a perfect fake website. Anyone who enters their data there, passes it on directly to the criminals. Sometimes the cyber criminals also play on their victims’ curiosity and send emails with a link that supposedly leads to a greeting from an acquaintance. But instead of a nice message, a malware download awaits the user after clicking on it.
Because social engineers have recognised that the ability to influence people is a security hole, IT experts also talk of human hacking. This means that people’s minds are hacked rather than a computer, and information that they actually did not intend to reveal is wormed out of them without them realising. Furthermore, they can also be lured through manipulation to do things they actually should not have. Put plainly, people are a security risk that needs to be taken seriously. While virus scanners and firewalls can provide an IT system with very good protection, the users can still be manipulated. The German Federal Police Criminal Office therefore talk of “human vulnerability”. While a computer works entirely rationally, people are also guided by their emotions. Many researchers think that almost 80 percent of all decisions we make are based on feelings. This means that our reasoning has little say, if any, in most cases. And this is precisely what human hacking exploits.
For this reason, social engineering appears wherever people are the key to money or information of interest. Hence national institutions and authorities as well as businesses or private individuals can be manipulated and spied on. According to research by IT industry association Bitkom, digital industrial espionage, sabotage and data theft cost German companies around 51 billion Euros in losses every year. 19 percent of the companies surveyed have reported social engineering as a factor here. Besides money, it is not unusual for ideas or confidential data to be disclosed. None of it happens with the discloser suspecting any kind of fraud.
In view of the sometimes staggering sums that the fraudsters trick people out of, one question needs to be asked and answered: What causes people to be deceived in this way? To start with, you do not have to be naive to become a victim of social engineering. In 2015, an American schoolboy led several CIA agents to believe that he was an IT expert and as a result got hold of important access data. He had access to the director of the CIA’s email account for three days. The irony here is that, unlike the National Security Agency (NSA), one of the focal points of the CIA is acquiring information from people. Consequently, CIA agents are very familiar with the principle of social engineering.
That social engineering can be so successful is down to the relative predictability of human thinking and behaviour. Social engineering mainly exploits specific basic characteristics. In one study, psychologists Myles Jordan and Heather Goudey filtered out 12 factors underpinning the most successful instances of social engineering between 2001 and 2004. These included inexperience, curiosity, greed and the need for love. These are very basic emotions and personal characteristics, and sometimes they can even mutually reinforce each other. This makes things easy for the perpetrators. An important basis for social engineering is that people are gripped by their emotions and reason takes no part in their decision-making.
The fraudsters proceed in very different ways to make someone an unwitting accomplice. And their knowledge of the future victim varies. With conventional spam the fraudsters know nothing about their victims. This method is based purely on mass emails and functions like a massive dragnet. With a large number of recipients, the perpetrators are highly likely to net a few victims. On the other hand, other methods are more reminiscent of angling for a particular species of fish – in a targeted way and with knowledge of what bait the fish will take. Such specialised phishing activities are also called “spear phishing”, as the perpetrators specifically seek out their victims as with spear fishing. If the fish is somewhat bigger, for example a high-ranking employee in an international company, experts also talk of “whaling”. Knowledge of the victim therefore mainly depends on the prize they hope to gain.
One mixture of offline and online endeavours is called “dumpster diving”. The fraudsters search through the target’s rubbish to find out as much as possible about their habits, interests and life situation. Babies’ nappies, medication boxes, pizza boxes, discarded paperwork – social engineers can deduce important information from such apparent trifles. Much more pleasant than rummaging through piles of rubbish is vetting people on social media platforms. Unthinking users present their personalities to the perpetrators on a silver platter, in public posts, likes or photos, and make it easy for the fraudsters to ingratiate themselves with them via fake commonalities.
- G DATA Internet Security
- Jordan, M., Goudey, H. (2005) "The Signs, Signifiers and Semiotics of the Successful Semantic Attack". In: Proceedings of the EICAR 2005 Conference, S. 344-364.
- Mitnick, Kevin D., Simon, William (2003) "Die Kunst der Täuschung". mitp-Verlag