Social Engineering is a widely used method to spy on confidential information. The target of these attacks are always human beings. To obtain confidential information, these attacks frequently exploit people’s credulity and helpfulness, but also their insecurities. Anything from fake telephone calls to people pretending to be someone else and phishing attacks is possible.
- disclosing as little personal information about yourself as
possible, being especially economical with such details
on social networking sites such as Facebook, Xing etc.
- never disclosing any passwords to anybody else as a matter of course, not even disclosing such passwords to any system administrator or your boss. Passwords only belong to you!
- always being suspicious of any e-mail requests. Even e-mails received from senders you know (friends) could be fake.
As a first step, criminals try to obtain as much information about their victim as possible, because based on such information, people can be deceived more easily. The criminal can for instance pretend to be a person you know. The Internet is ideal for obtaining such information - social networking sites such as Facebook, Xing etc. contain particularly many details of this type. Equipped with such intelligence, someone can then approach you directly, and appears trustworthy based on this information.
Some examples for Social Engineering attacks
- Someone pretends to be an engineer (for instance from a telephone company, an electricity supplier etc.) in an attempt to gain entry to your home or your company.
- You receive an e-mail asking you to open up a link and log in, or to reveal personal details.
- A person calls you on the phone wanting to ask you certain questions for a survey (e. g. regarding your income, security measures installed on your PC).
- An attacker sends an e-mail with a fake sender’s address, pretending to be someone you know (with an attachment containing a virus).
- Somebody passing himself off as an IT technician arrives at your place of work, supposedly to undertake some maintenance on your PC.
There are even cases of Social Engineering attacks involving people targeting companies by applying for a job with them to then specifically steal information.
How can you protect yourself effectively?
As attackers deliberately exploit «human traits» such as a willingness to help, insecurity, good faith and the basic trust in other people, it is very difficult to discover a Social Engineering attack and avert it. It takes a certain measure of distrust towards strangers, but also towards those we know!
Generally, only a «healthy» dose of mistrust can protect you. It is frequently also helpful to check what kind of information you disclose about yourself, and to whom. There are no technical measures to defend yourself against Social Engineering though.