Social Engineering refers to the art of manipulating people through conviction, seduction or influence in such a way that they reveal confidential information e.g. names, contact data, corporate names or company information
The human being is the weakest link in the information security chain – and a key target for criminals. The perpetrators gain your trust via insider knowledge (e.g. via your social media profile or by phoning your colleagues) and they then use quite normal human characteristics - such as a willingness to help or provide information - for their own purposes.
This means that Social Engineering does not require any in-depth technical knowledge and is therefore being increasingly used by cyber criminals.
What do social engineers ask for?
- Names
- Contact details
- Department names and job titles
- Information about business processes
This information may seem harmless at first but this is often just the first phase of procuring information for further fraudulent activities. For example, the social engineer can use this information to pretend to be a colleague in subsequent phone calls to other departments.
What techniques do social engineers use?
- Persuasion
- Temptation
- Asking for help
In most cases, the perpetrator uses false pretences and/or a false identity to gain your trust and influence you. Another option is to procure information by telephone and subsequently send phishing emails to your email address.
How will you be contacted by social engineers?
- By telephone
- By email
- Face-to-face in (apparently) random situations
There are many different ways they might approach you: Often a direct contact, e.g. by telephone or a face-to-face approach is chosen to increase the element of surprise and therefore also the likelihood that you will give out information which you might not have revealed had you had a little time to think about it.
How do social engineers put pressure on you?
- The social engineer claims that they need the requested information as an important situation depends on it.
- The social engineer claims that they are under extreme time pressure.
- The social engineer calls you in an allegedly desperate situation. For example: "I’m stuck at the airport and my mobile is about to run out. Can you help me quickly?" This cleverly combines time pressure and an appeal to your willingness to help.
The 3R strategy
1. Refuse: Always be sceptical if you get a call from someone you don’t know.
- Do not give out any information if you have any doubts about the identity of the caller
- Do not let yourself be put under pressure
- Stick to the facts
- Keep the conversation short - the longer the conversation the greater the risk of revealing information
2. Request: Ask for identification – for example, ask the caller to send a written request via email. But watch out: never give out your email address - instead you should claim that the caller must already have it. In most cases, social engineers will hang up at this point as this is not the case.
3. Report: If the caller has claimed to be an employee of Deutsche Bank you should report the incident to your relationship manager immediately so that countermeasures can be taken.