What is social engineering?

2017-05-22
-
Author:
DSwiss AG

Social engineering is a simple yet very effective form of industrial espionage. The attackers steal important company data or infiltrate viruses by exploiting human imperfection.

Social engineering often starts with research on the target person and the respective company. The attackers gather information on employees by searching social networks such as Facebook, Twitter, Xing or LinkedIn for public information. At the same time, they collect information on the company website and through online directories. Sometimes, the attackers also ask the company directly by e-mail or phone. The attackers then use the background information on internal structures, employees and superiors for the actual deception maneuver.

Attack by phone, e-mail or in person on site

The attackers often use the telephone. For example, they pose as internal IT administrators and provide information about an alleged security gap that must be closed immediately. The rhetorical skill and confidence-building background information help the attackers get straight to their target. The taken-by-surprise victims pass on personal data such as passwords, thereby enabling access to internal systems.

Occasionally, the attackers infiltrate the company or bribe employees. Some watch their victims enter passwords or eavesdrop on internal conversations. In other cases, the attackers hack into employees' e-mail accounts, send e-mails from there, and ask for personal information. Phishing is therefore also classified as a social engineering attack, because it is intended to steal personal data via forged e-mails or malicious links.

How to protect yourself and your company

The examples mentioned show why social engineering is one of the most successful attack methods: The attackers target human weaknesses and manipulate their victims. These 7 tips help to better protect yourself from attacks:

  1. Regularly train employees about risks and possible forms of social engineering.
  2. Do not share personal information on social media.
  3. Use a password store in the company.
  4. Do not enter passwords in the presence of third parties.
  5. Check with supervisors before giving out personal information.
  6. Find out about internal security procedures.
  7. Do not discuss internal company information in public.