Guest article: social engineering - a human risk to IT security

Companies are increasingly investing in their IT security. However, the number of successful cyberattacks and variants of ransomware continues to rise. As firms implement more technical safeguards within their IT infrastructure, attackers are shifting their focus to other vulnerabilities. One method that targets employees directly is called social engineering. In this guest article, Anne Roemer from HTH GmbH explains what social engineering entails and how companies can protect themselves against it.

What is social engineering?

Social engineering is a form of cyberattack where perpetrators gather extensive information about potential targets and the targeted company beforehand. They then use this information strategically for an attack. Criminals rely on publicly available sources, such as corporate websites or social networks, and may even eavesdrop on calls or conversations. In this way, they compile a wealth of professional and personal background information. Based on these details, attackers can plan and execute a highly targeted assault on a company.

Social engineering attacks are often successful because they exploit human vulnerabilities. Humans are naturally predisposed to weaknesses like fear, curiosity, and deference to authority. Additionally, we have needs such as the desire for social approval or the urge to help others. Cybercriminals exploit these deeply ingrained psychological traits. Social engineering becomes particularly potent by preying on these natural human flaws.

Targets of social engineering include large corporations as well as small and medium-sized enterprises. This makes it all the more important for employees to understand the risks. Attacks can be conducted via various channels. While email is common, methods also include SMS, phone calls, personal interactions, or video conferencing tools. The creativity of attackers knows no bounds. Here, we present three social engineering methods that everyone should be aware of.

Three social engineering methods

1. CEO fraud

In CEO fraud, a criminal poses as a company executive or CEO. Acting in this supposed position of authority, they issue instructions, such as requesting specific financial transfers. Perpetrators use a variety of communication media for this type of fraud, often favouring emails but also relying on phone calls. CEO fraud, also known as executive fraud, remains a common tactic. Despite its prevalence, many employees are still unfamiliar with this method. Regional criminal investigation offices have been warning about this attack technique for years.

2. Spear phishing

The basic phishing technique, involving mass emails that prompt recipients to click a link, is now widely recognised. These links typically lead to requests for confidential information, such as passwords or bank details.

Spear phishing takes this a step further. The principle is the same, but attackers focus on quality rather than quantity. They conduct detailed research beforehand to gather extensive personal information about their target. Based on this, they craft highly personalised emails that appear relevant to the recipient. This significantly increases the likelihood of a successful attack. For example, an email seemingly from a local grocer or library is less suspicious, making individuals more inclined to share information without realising the risk.

3. Deepfakes

The term "deepfake" refers to manipulated audio or video content that appears convincingly real. What began as internet novelty, often putting false words into the mouths of celebrities, has evolved into a genuine threat to businesses. Attackers use this technique to impersonate company leaders, perhaps instructing a financial transfer. These videos are generally indistinguishable from reality, making awareness of this method all the more crucial.

Protecting against social engineering

Unfortunately, social engineering cannot be thwarted solely through advanced IT measures. It exploits human weaknesses rather than technological vulnerabilities. Attackers are highly creative and constantly find new ways to obtain the data they need. Companies are strongly advised to educate and prepare their employees for potential attack scenarios. Regular awareness training is an effective way to enhance IT security. Additionally, organisational measures such as the four-eyes principle for financial transactions can provide a safeguard against the cybercriminal methods described.

Cyberattacks pose a real and existential threat to businesses of all sizes. It is essential to take proactive measures to defend against them.

For more information about the IT solutions offered by HTH GmbH, click here.