What actually is
social engineering?

G DATA Guidebook

She is pretty, single and her messages are as alluring as her blonde hair. And before the recipient of her friend request on Facebook knows it, they are writing a stream of brief, teasing messages to each other. And long, very intimate emails on some days. In fact, it is crazy how much he and his accidental online acquaintance have in common. He feels safe and properly understood for the first time in years, although they never met each other in person. Fate brings some people together – and others are taken in by a fraudster. That is what is called social engineering.

Without the victims giving it a moment’s thought, they disclose confidential information about their work or transfer money to people they actually do not know at all. Social engineering leads people to happily do things they would otherwise never do. Contrary to expectations, however, social engineering is not a motivation technique but a particularly refined form of fraud. We explain what social engineering is, who it can affect and how you can protect yourself against it.

How did social engineering arise?

The idea of social engineering originally came from philosophy. Karl Popper coined the term in 1945 and by this was initially referring to sociological and psychological elements for improving social structures. Popper’s principle was mainly based on the assumption that people can be optimised like machinery. In the 1970s, Popper’s successors expanded his theory to include certain types of psychological trickery. However, their initial objective was not data theft – they wanted to urge people towards better interaction and greater health awareness. This indeed involved manipulation – but with a different aim. Today we commonly refer to social engineering as a fraudulent form of subliminal manipulation.

How does social engineering work?

Some hackers focus on targeted psychological manipulation rather than relying on purely technical methods.

Some hackers focus on targeted psychological manipulation rather than relying on purely technical methods.

Although the methods remain true to their philosophical roots, the social engineers’ motives have changed significantly. Anyone who understands what makes people tick can specifically manipulate them with a little instinct – and a little more criminal intent. Often the fraudsters assume the role of an acquaintance or trusted tradesperson, or they pretend to be from a bank or even the fire brigade. The perpetrators gain trust in this way – and often sensitive data as well.

In short, social engineers try to exploit people for their own ends. One of the best known social engineers is the hacker Kevin Mitnick. Through the sheer number of intrusions into other people’s computers, Mitnick quickly became one of the most wanted people in the United States. He is said to have penetrated some of the best secured networks in the USA hundreds of times; he also allegedly spied on the Department of Defense and even the NSA. In his book “The Art of Deception”, Mitnick writes that social engineering is a significantly faster way of getting the information you want than purely technical methods. Instead of developing spyware, Mitnick programmed the will of his fellow human beings.

What does social engineering on the Internet look like?

In the digital era, fraudsters are also using this tactic on the Internet. Often it all starts with an email, or sometimes a message via a social network. The classic is the phishing email luring people to a perfect fake website. Anyone who enters their data there, passes it on directly to the criminals. Sometimes the cyber criminals also play on their victims’ curiosity and send emails with a link that supposedly leads to a greeting from an acquaintance. But instead of a nice message, a malware download awaits the user after clicking on it.

Example: Robin Sage

One prominent example of social engineering via social networks is the case of Robin Sage. Sage was young, attractive – and completely invented. In 2010, US IT expert Thomas Ryan created a social media profile with a photo and the interests of an attractive young woman by the name of Robin Sage. Ryan’s fictional figure systematically wound military figures, industrialists and politicians around her finger and extracted confidential and highly sensitive information from them. In doing so, none of those affected actually met Sage in person. Via social media alone, Ryan sent the type of believable and enticing messages that gave his victims no cause for doubt – and they chatted away freely. However, for Ryan it was less about the information disclosed. He wanted to expose people as a security hole, which he impressively succeeded in doing.

What does “human hacking” mean?

Because social engineers have recognised that the ability to influence people is a security hole, IT experts also talk of human hacking. This means that people’s minds are hacked rather than a computer, and information that they actually did not intend to reveal is wormed out of them without them realising. Furthermore, they can also be lured through manipulation to do things they actually should not have. Put plainly, people are a security risk that needs to be taken seriously. While virus scanners and firewalls can provide an IT system with very good protection, the users can still be manipulated. The German Federal Police Criminal Office therefore talk of “human vulnerability”. While a computer works entirely rationally, people are also guided by their emotions. Many researchers think that almost 80 percent of all decisions we make are based on feelings. This means that our reasoning has little say, if any, in most cases. And this is precisely what human hacking exploits.

Who does social engineering threaten?

For this reason, social engineering appears wherever people are the key to money or information of interest. Hence national institutions and authorities as well as businesses or private individuals can be manipulated and spied on. According to research by IT industry association Bitkom, digital industrial espionage, sabotage and data theft cost German companies around 51 billion Euros in losses every year. 19 percent of the companies surveyed have reported social engineering as a factor here. Besides money, it is not unusual for ideas or confidential data to be disclosed. None of it happens with the discloser suspecting any kind of fraud.

Why are people taken in by the fraudsters?

In view of the sometimes staggering sums that the fraudsters trick people out of, one question needs to be asked and answered: What causes people to be deceived in this way? To start with, you do not have to be naive to become a victim of social engineering. In 2015, an American schoolboy led several CIA agents to believe that he was an IT expert and as a result got hold of important access data. He had access to the director of the CIA’s email account for three days. The irony here is that, unlike the National Security Agency (NSA), one of the focal points of the CIA is acquiring information from people. Consequently, CIA agents are very familiar with the principle of social engineering.

Which psychological mechanisms lie behind this?

That social engineering can be so successful is down to the relative predictability of human thinking and behaviour. Social engineering mainly exploits specific basic characteristics. In one study, psychologists Myles Jordan and Heather Goudey filtered out 12 factors underpinning the most successful instances of social engineering between 2001 and 2004. These included inexperience, curiosity, greed and the need for love. These are very basic emotions and personal characteristics, and sometimes they can even mutually reinforce each other. This makes things easy for the perpetrators. An important basis for social engineering is that people are gripped by their emotions and reason takes no part in their decision-making.

 

Example: The Russian bride scam

behind the mask of an attractive young woman there is often a person trying to get hold of his victims’ money.

This becomes especially clear with the example of the Russian bride scam, which targeted single men in Western and Central Europe. In spam emails, young, usually very attractive Russian girls lured men to send them goods or foreign money, or to meet up with them. In the hope of a big love affair, or at least a quick fling, the men unwittingly became part of money laundering and smuggling operations. Many victims have lost all their money in this way.

Requests such as “I can only visit you if I have the right papers, but everyone here is corrupt. Send me money for the documents and lawyers” are used by the perpetrators to charm their way straight into the victims’ wallets. Later they also ask for money for the journey or for new clothes. They exploit their victims’ assets until they become suspicious – or run out of funds. However, not only the pictures of the young women but their very existence is often a deception. Instead of a Russian girl who wants to get married, the senders of the alluring messages are often men of every age from a wide range of countries.

What do the attackers know about the potential victims?

The fraudsters proceed in very different ways to make someone an unwitting accomplice. And their knowledge of the future victim varies. With conventional spam the fraudsters know nothing about their victims. This method is based purely on mass emails and functions like a massive dragnet. With a large number of recipients, the perpetrators are highly likely to net a few victims. On the other hand, other methods are more reminiscent of angling for a particular species of fish – in a targeted way and with knowledge of what bait the fish will take. Such specialised phishing activities are also called “spear phishing”, as the perpetrators specifically seek out their victims as with spear fishing. If the fish is somewhat bigger, for example a high-ranking employee in an international company, experts also talk of “whaling”. Knowledge of the victim therefore mainly depends on the prize they hope to gain.

How do the perpetrators find information on their victims?

Social engineers can find out various things from rubbish.

One mixture of offline and online endeavours is called “dumpster diving”. The fraudsters search through the target’s rubbish to find out as much as possible about their habits, interests and life situation. Babies’ nappies, medication boxes, pizza boxes, discarded paperwork – social engineers can deduce important information from such apparent trifles. Much more pleasant than rummaging through piles of rubbish is vetting people on social media platforms. Unthinking users present their personalities to the perpetrators on a silver platter, in public posts, likes or photos, and make it easy for the fraudsters to ingratiate themselves with them via fake commonalities.

How can I protect myself from social engineering?

  • Social Media: Thinking about what type of private content to share and what not is the first and most critical step.

  • Email: You can protect yourself from open manipulation by exercising caution. For instance, if you do not know the sender of an email and are not sure how the sender got hold of your email address, this is a red flag. When in doubt, contact the sender by phone and ask him or her about the message you received.

  • Phone: The same is true for people who call you: if you do not know that person, do not give up any sensitive information over the phone.

  • Links: Do not open any links that claim to lead you to a website login, no matter what the message says. Idealy, you have bookmarks for your important websites such as banking or shopping portals. Use your bookmarks to open the login page. What way, fraud attempts and fake logins become evident very quickly.

  • "Congratulations, you have won!": If you are promised a prize or large sums of money, use your common sense. People usually do not give away things, especially not to random strangers. Do not react to any text messages, emails or phone calls.

  • Security software: By filtering out spam and using reliable phishing protection you can minimize the risk of falling victim to any of those scams.

More information and sources

  • G DATA Internet Security
  • Jordan, M., Goudey, H. (2005) "The Signs, Signifiers and Semiotics of the Successful Semantic Attack". In: Proceedings of the EICAR 2005 Conference, S. 344-364.
  • Mitnick, Kevin D., Simon, William (2003) "Die Kunst der Täuschung". mitp-Verlag