IT Center Blog

Social Engineering – or: How we get tricked

November 6th, 2020 | by

Sometimes you just can’t say “no”. When the fundraising rescue workers are at the front door or in the pre-Christmas season the opportunities to do a good deed one more time this year are increasing. Of course we are happy to help, for we are social beings after all. However, this humanitarian side of us is being exploited increasingly. Social engineering aims to motivate people to do things they would not do under normal circumstances. This manipulation occurs everywhere – digitally, as well as in the real world.

Source: Pixabay

In today’s article we discuss what “evil” social engineering is all about, what you should be aware of, especially on the World Wide Web, and at what point it is safer saying “no”.

The Trojan horse – back then, as well as today

One of the oldest examples of social engineering can be found in Homer’s “Odyssey” and Virgil’s “Aeneid”. Herein, the Greeks used the so-called Trojan Horse, in which they hid themselves to get into the city. Odysseus was able to invade the city of Troy by getting its inhabitants to pull the beautiful and unbelievably large wooden horse – together with its load – into the city.

The cunning of the Trojan horse is still wel known today and is used as a metaphor for malicious software (malware), which we know as “Trojans”. Even nowadays, social engineering still works just as well and steadily. For example, if someone cuts in line at the supermarket checkout with an excuse that is so good that you let them pass, or when discounts tempt you to buy. The same technique also works online.

In this case, the psychological manipulation aims to get hold of confidential information, to encourage the purchase of a product or to get someone to release funds. The victim is always convinced to open harmless and benign content, while the malware that is used aims to steal and/or destroy data on a device.

Social engineering and the aspect of humanity

Social engineering thus exploits our very humanity. For example, our tendency to trust other people, to avoid conflicts and, especially in a public environment, to be polite and helpful could be tested. Also, most of us react with more friendliness when we care about someone or something. We are also more likely to give out information if we are being praised for certain qualities or actions.

It is similar in the Internet. The hacker attack on many celebrities’ Twitter accounts is a striking example. Hackers posted tweets in the name of celebrities, calling for fundraising campaigns. The hackers had the funds transferred to Bitcoins. The damage was twice as great: Twitter users lost $140,000, while celebrity accounts were broken into, their contact lists stolen and probably their personal data compromised.

Principles of Social Engineering

Cybercriminals know how social engineering works best. The following examples illustrate how emotions can be used to commit cyber attacks:

1) Authority
People follow instructions, even if they seem absurd. The same applies to the fear of difficulties or the inducement of panic. An good example for this are e-mails that warn of a virus and have a corresponding solution link ready. Such links lure people into clicking.

2) Scarcity or greed
Discount campaigns tempt people to behave in a similar way – whether online or in the supermarket. A title like “There are only 2 dream locations left for your next vacation… Now or never” and “Give me 10 Euro and I’ll give you 100€ back” or “You have won the lottery” will tempt you to open the corresponding e-mails and links or take the corresponding actions.

Social Engineering and Phishing

One of the most common types of social engineering phenomenon is what is called Phishing. This is a systematic attack that uses scam e-mails. The aim is to motivate the user to do something or reveal relevant information. You can read more about phishing in our article from Wednesday, 04.11.2020.

Please remain alert for supposedly tempting offers – especially on the internet. Offers, e-mails and websites are often designed so authentically that you wouldn’t suspect the scam at first and only realize it too late.

Responsible for the content of this article are Jens Hektor and Julia-Elena Runkel.

Comments are closed.