Dr. Christian Schunck is a physicist who works in the research field of digital identity management at the Fraunhofer Institute for Industrial Engineering (IAO) in Stuttgart. He explains that social engineering is a term that refers to the manipulation of people’s social behaviors, desires, and emotions in order to exploit them for criminal activity.
Cybersecurity focuses heavily on the technical aspects of protecting against cybercrime. However, the human factor is often overlooked as a potential vulnerability. Social engineering predates cybersecurity and is a tactic that has been used for a long time.
The criminal tactic known as CEO fraud is a common example of social engineering. Cybercriminals use the principle of authority to pretend to be managing directors and persuade employees to carry out specific actions, such as transferring money abroad. The victim feels flattered that the boss thinks they are so important. This trick has caused over a hundred million euros in damage in Germany alone.
Another example of social engineering is phishing. Criminals create trustworthy e-mails intended to entice victims to click on certain websites or open email attachments. They also exploit a person’s greed or desire for good pay, using enticing job offers.
Telephone calls are another effective attack vector. Attackers may pretend to be IT employees or members of the human resources department and gather information about employees. By appealing to several victims who feel they are helping, the attackers can get a more precise picture of their next target for a multi-stage attack.
Companies must make their employees aware of these tactics and insist on certain rules, such as the four-eyes principle, to prevent such attacks. Social engineering remains a significant threat that must be taken seriously to prevent further criminal activity.
