Social Engineering

Social engineering describes a variety of methods criminals use to try to influence the behavior of their victims to their advantage. The attackers aim, for example, to disclose sensitive information such as passwords, install malware or gain unauthorized access to documents or information.

Widespread phishing is a form of social engineering in which criminals attempt to influence the behavior of recipients via e-mail. Read more about phishing emails here: phishing & email security.

Social engineering may also be carried out in other ways, for example by telephone. This is also known as vishing (from "voice phishing"). A scammer disguises himself/herself as an employee of a bank or an IT department, for example, and tries to obtain login data or PINs under an apparently plausible excuse.

  • How does social engineering work?

    Social engineering appeals to human emotions in order to get victims to react as the attacker hopes.

    • Time pressure is created, for example, by emphasizing the urgency of an action and/or threatening negative consequences if the action is not taken immediately (e.g., transferring money or logging into a user account). Alleged consequences for not taking action include, for example, blocking access or debiting large sums of money. However, most legitimate companies will contact you by mail or phone for urgent matters.
    • Promises and hopes for financial benefits or profits are used by the attackers as incentives to get victims to take the desired action. If an e-mail contains such offers or a large number of advertisements, you should become suspicious and not respond.
    • Social engineering can also be used to gain unauthorized access to areas containing sensitive information. Unauthorized individuals can, for example, impersonate employees of a facility management service, gain trust, and thus gain access to offices and into direct contact with sensitive data. The access to information and its misuse can no longer be controlled then.
    • Intentional placement of USB sticks infected with malware appeals to people's curiosity. Criminals might enter a building without authorization and place USB sticks in communal areas or send them by mail. People who find these USB sticks are curious about the data on them or hope to find the owner by looking at the data. Once a prepared USB stick has been connected to the computer, infection with malware can occur automatically. Never connect devices to your computer whose origin you do not know exactly.
    • In recent years, the identity fraud of executives has also been repeatedly used for social engineering attempts. The attackers obtain information from executives, impersonate them and use their supposed position of authority to persuade employees to disclose internal information or to make transfers for the supervisor, for example. For more information on these types of scams, see identity fraud.