Social Engineering

In Brief

Social engineering is a technique that aims to access confidential information or certain assets by manipulating people who have direct or indirect access to it. One example of social engineering is phishing.

Social engineering does not just apply to the IT domain, it can also occur in daily life and, in particular, at the workplace. As soon assets of a certain interest are at stake, attacks like this type may appear.

The human factor is the focal point of social engineering attack techniques. In essence, it is the intelligent manipulation of our natural propensity to trust. Relationships based on unearned trust are developed in a calculated way, most often through a simple conversation, and are then exploited to gain as much profit from the situation as possible.

Social engineering can take place over the phone, by E-mail, through social networking or, of course, in the physical presence of the attacker.

How Does It Work?

Social engineering techniques exploit certain human vulnerabilities and vulnerabilities in the targeted entity’s organisation. In fact, it’s human nature to want to help others and trust people who are polite and friendly, even if they are total strangers. It all depends on the situation and how the wrongdoer(s) present(s) themselves to us. Very often, a simple request asked in a direct manner by the attacker may be all it takes to get the victim to respond sincerely.

The aim of the attack is to make a person do something that they would not normally do; the attacker’s motivation is to obtain information that they cannot normally access. In an increasingly digitalised world, this very often (but not always) comes down to obtaining authentication information.

An attacker may, for example, initially try to establish a relationship of trust with a member of staff with whom they will spend a certain amount of time trying to uncover information about the targeted company. It is therefore not uncommon to meet attackers with an in-depth knowledge of the jargon employed by the company’s business line and the procedures it has put in place. This makes it easier to make internal contacts and to place requests which may otherwise appear suspicious.

From the employee’s point of view, they are presented with a person who seems to be aware of internal procedures and who uses the same jargon. In a large company where it is difficult to know everybody, the employee has no reason to be suspicious and often ends up cooperating. Thinking they are doing their job correctly, they have no reason to refuse to help a person whom they believe to be a colleague.

Very often, the victim only realises they have been tricked after the fact, once the attacker has already left the premises without leaving a trace, but in possession of precious information.

Other strategies are also possible, notably with regard to picking up clues that lead to information. The attacker may present themselves as an investigator looking into the business of the targeted person or entity. In particular, they may ask a serious of innocuous questions, amongst which is hiding one to which the answer is of particular interest to the attacker.

The attacker may also adopt a completely different strategy, for example, by putting their victim at an impasse and presenting themselves as the only person who can solve their problem. In the majority of cases, the victim will cooperate and will respond without batting an eyelid at the attacker’s specific questions.

Protective Measures

Behavioural Measures

  • Before going on a business trip, read through the Ministry of the Economy and Foreign Trade’s be-safe programme.
  • Do not reveal internal information about your work or company on social networks.
  • Do not respond to illicit requests for information (whether in person or by telephone).
  • Any information, even seemingly insignificant, must be considered important and therefore protected.
  • You should also be vigilant regarding seemingly harmless Internet surveys and quizzes.
  • Alarm bells should ring if a person you do not know becomes very curious. Even if the questions do not directly relate to confidential information.
  • Do not click on unsolicited or suspicious-looking links in E-mails or on social networks. If in doubt, contact the (supposed) sender to check if the E-mail is legitimate (see also E-mail – best practice, malware: best practice).
  • Never share your Internet or computer login details or password with anyone, even if the request seems very credible. Your company’s IT department does not need them and will never ask you for them. The same applies to banks, online shops or any other services that might ask you for information via E-mail.
  • Never carry out orders for a stranger, whether by telephone, E-mail or direct contact if these orders concern sensitive information.
  • If in doubt, check the identity of your phone or computer contact. On the telephone, you could, for example, ask your correspondent for their telephone number and call them back once you have verified it. This preventative measure is a good way to tell if your correspondent actually has authorised access to the telephone line they are calling you from.
  • If in doubt, do not make impulsive decisions. Take some time to reflect, so that you free yourself from the aggressor’s pressure. Do not worry about asking an unknown correspondent to call you back the following day. Doing so will give you a chance to consider the situation carefully and resolve the issue calmly.
  • Always log off websites and other pages online using the button provided for this purpose. If you do not log out manually, the session may remain open and make it easier for the attackers to gain access.
  • Never open an E-mail attachment from an unknown or suspect sender. The same goes for suspicious files on websites. Attachments like these may contain Trojans that give an attacker access to all of the files and data stored on your computer (See also: E-mail – best practice, malware: best practice).
  • Never leave paper documents containing sensitive information in plain view. Likewise, for documents thrown in the bin. Make any documents you no longer need illegible.

Further Information