Social Engineering: The Invisible Threat
Author: Michael Vogel
Cyber Security risks are increasing. Criminals exploit both technical vulnerabilities and people’s good nature in their attacks.
In the last quarter of 2022, the world observed a sad record: Per organization 1,168 cyberattacks took place on average per week, an all-time high. For the year as a whole, the number of cyberattacks in 2022 was 38 percent higher than in 2021, according to figures from Check Point, a US-Israeli IT security firm that has long been tracking the global IT threat landscape. According to Check Point, the three most frequently attacked industries were academic institutions, government institutions, and the healthcare sector.
The total economic damage caused by cyberattacks is difficult to quantify. The numbers communicated from time to time vary widely. What they have in common, however, is that they are high. So high, in fact, that the currency itself becomes almost irrelevant. We are talking about billions – or more. If you look at individual cases, the damage caused becomes more concrete.
Ransomware cripples district
One example is the Anhalt-Bitterfeld district, which unintentionally made IT history in July 2021 when it became Germany’s first digital disaster. After a successful ransomware attack, the authorities were no longer able to provide parental benefits, unemployment and social benefits, vehicle registrations, and other services. Almost a thousand of the administration’s employees were only allowed to work with telephones and fax because the service computers were infected with malware.
The term ransomware refers to extortion software that is planted unnoticed in an IT network and encrypts data or prevents access to computers. In most cases, a ransom demand is made. Ransomware has been a rapidly growing threat worldwide for years. For the German economy alone, industry association Bitkom estimated the economic damage caused by ransomware at 24 billion euros in 2021.
The Anhalt-Bitterfeld district refused to pay the ransom. The disaster ended after 207 days, when the IT systems had been completely rebuilt. Though some services, like the environmental registry, were still affected a year after the incident.
Another example of the consequences of a cyberattack is provided by the European satellite network KA-SAT, whose communications services were severely affected almost simultaneously with the start of the Russian invasion of Ukraine in late February 2022. Supposedly, the cyberattack was intended to cut off Ukrainian customers from satellite internet. But others like Germany, France, and Ireland were also affected, presumably collateral damage. One result of the disruption was that 5,800 wind turbines could no longer be maintained remotely. The attack took place via an incorrectly configured access to the satellite network’s management network. This meant that several tens of thousands of modems could be disrupted in one fell swoop.
Sneaky emails help criminals
But cyberattacks are by no means the result of technical or organizational vulnerabilities alone. People are also directly exposed to attacks, which can originate in emails, text messages, social media messages, or phone calls. The criminals’ underlying idea is: Why laboriously search for technical vulnerabilities in a corporate network when someone in the workforce can deliver what they want on a silver platter? This is called social engineering. It starts, for example, with an email that supposedly comes from a business partner or someone in the company. The sender, appearance, and content of the email are fakes, with some being more convincing than others. An increasing number of spam emails are extremely good forgeries: No spelling or grammatical errors, sporting the correct salutation and the correct company logo of the supposed sender. The mail contains a link or an attachment, through which the victim unknowingly discloses data or which installs malware unnoticed, which then spreads through the company network.
Social engineering is much more difficult to recognize if the victim has first been spied on – their contact data, curriculum vitae, environment. In principle, the criminals can use all publicly available information to gain the victim’s trust by using that collected information to assume a false identity. They ask the victim to reveal sensitive data, such as access data to the company network. The attack is embedded in a narrative. For example, the fake identity might be a superior who is in a difficult negotiation somewhere in the world and urgently needs to get hold of certain data – but has forgotten his password. The contact may be made by email, but also via social media, or even by telephone.
Nobody is safe from cyberattacks
A cyberattack can affect anyone. Be it public sector institutions or facilities that are part of a country’s critical infrastructure, global corporations or small and medium-sized enterprises – no one is safe. For the second time since 2022, the annual “Risk Barometer” compiled by Allianz names cyber incidents the greatest risk in 2023. More than 2,700 risk management professionals from 94 countries and territories were surveyed. As large companies respond to the threat situation with more financial and human resources, small and medium-sized companies are increasingly being targeted by cyberattacks, according to the Risk Barometer.
A German example shows that word has not yet spread everywhere, apparently. A security check initiated by the German Insurance Association (GDV), in which 19 small and medium-sized enterprises from the logistics, wholesale, and retail sectors participated, uncovered vulnerabilities at 18 companies that could have been gateways for cyberattacks. However, according to an accompanying survey commissioned by GDV among 300 companies in the same industries, almost two-thirds assumed that the Cyber Security risk for their company was low – because the company was too small or the data of no interest to criminals. This could prove to be a fatal mistake.
“Phishing is the biggest problem.”
People are popular victims of cybercriminals, who want to exploit more than technical security vulnerabilities. Graham Stanforth, Head of the DEKRA Business Line “Information Security Training”, explains the dangers and countermeasures.
Why does social engineering work?
Stanforth: There is always talk about “people being the weakest link”, which I find a poor choice of words. People usually have positive qualities: We want to be trustworthy, we are curious and respectful, we want to help, we want to act as a team. And we assume the same of other people. Unfortunately, social engineering shamelessly exploits these positive traits.
What are some trends in social engineering?
Stanforth: Phishing has been dominant for a few years now. Criminals send a fake email with a link or attachment and hope that the victim clicks on the link or opens the attachment. The necessary technology can be bought online for little money and conveniently adapted to the criminals’ intentions. It’s convenient and easy. With the click of a button, they can send out half a million emails – someone will always fall for it. The click rates are five to ten percent.
Do you have any behavioral tips for everyday work?
Stanforth: Awareness training is very helpful for anyone who comes in contact with networked devices. An important message of these trainings is that there is no such thing as 100 percent security. That’s why employees need to be aware of their responsibilities. For example, if I leave my computer on, I have to lock the screen. Or: Who can see my monitor while I’m working? What information can I share confidently on social media? How do I handle my business laptop and smartphone responsibly in public? We actually know all this. But we need to be made aware of it again and again so that no unsafe routines creep in.
What training courses does DEKRA offer in terms of awareness?
Stanforth: We offer everything necessary to carry out awareness campaigns. This includes a manager dashboard from which phishing emails can be sent to see how high the click rates are in your own company. Coupled with this are e-learning modules to specifically address the weaknesses identified. Over time, the organization’s learning progress can also be documented.
Does DEKRA also offer the social engineering equivalent of technical penetration testing, i.e. trying to fool people as a “good hacker”?
Stanforth: Yes. The companies decide what to tell DEKRA in advance and where DEKRA gets access. After preparing for the company, we send out a pen-tester who tries to pick up information using social engineering techniques. For example, they pretend to be someone who has to check the fire regulations in the building and sees what other information they can get their hands on. The final report can also be used as part of a security certification in accordance with ISO 27001.