30. April 2018 - The human security risk

Social Engineering: How users are “hacked”


What are the most successful Social Engineering methods of data thieves? New studies provide insight. Use these insights in your data protection seminars to prevent people from becoming the number one hacking target.

Social Engineering: neue Studie Social Engineering targets the weakest link in the security chain: the user (Image: frankpeters / iStock / Thinkstock)

Social Engineering is an attack method that exploits the trust of users and tricks them into disclosing data. It enjoys increasing popularity among data thieves.

The reason: Users can’t be secured automatically like at least some pieces of hardware and software can.

This is why you should keep raising awareness of Social Engineering in your data protection seminars.

How hacking of users works

Many participants in your data protection seminars may be familiar with the term “Social Engineering”. However, there are many misconceptions.

For example, many users believe that hackers would use only mails and websites to steal data – phishing e-mails and fake log-in pages. In reality, data thieves can use any form of communication to deceive users.

Social Engineering works not only via e-mails and web pages, but also

  • via chat services,
  • on the phone,
  • via fax messages,
  • by traditional letter post and even
  • in face to face communication.

Attackers may also use the phone or letters to trick employees into divulging confidential data or providing access to it.

Data protection seminars as “troubleshooting”

Many IT security researchers consider users as the greatest weak spot of all.

There is no technological solution to fix this security risk – you can only raise your employees‘ awareness for the problem.

Understanding the psychology of Social Engineering

First of all, explain to users: Methods of deception are more varied than the classic forged e-mail from a bank,  where a user is asked to immediately log in to the online banking page because of certain problems. The linked page is forged and used to steal the user’s login data.

However, data thieves might also masquerade as a pizza delivery service. Or send a fax pretending to be from a new sales partner. Or a chat message from a presumed friend.

The number of examples is endless. This is why it is important to understand the method of deception – the psychological tricks of data thieves.

Social Engineering tactics

The report “Exploring the Psychological Mechanisms used in Ransomware Splash Screens” by cyber psychologist Dr. Lee Hadlington from De Montfort University illustrates how cyber criminals use Social Engineering tactics to manipulate people. Methods include fear, authority or time pressure and humor.

Dr. Hadlington analysed e.g. the linguistic style and the appearance of 76 attacks.

Here are the key results of the study:

  • Time as a critical factor: In more than half of the samples (57 percent), a ticking clock was putting pressure on the user. The deadlines were from ten to 96 hours.
  • Negative consequences: In most cases, users were threatened with losing access to their data, or that their data would be deleted if they didn’t pay or comply with payment deadlines. Occasionally, publication of encrypted data on the internet was also used as a threat.
  • “User-friendliness”: 51 percent of the notifications used in the attacks were designed to be quite user-friendly. For example, they gave specific instructions to the victims or included a list of frequently asked questions (FAQ). In one case, the victim was even offered a consultation with “an employee”.
  • Imagery: Official brand logos and emblems were used in some cases – including the seal of the FBI, which was used to suggest authority and credibility.

“Hacking the human OS”

The study “Hacking the Human OS” by McAfee also provides helpful insights that you can use in your seminars.

The levers used by attackers include in particular

  • pretending to do the victim a favour,
  • deliberately putting time pressure on the victim to prompt hasty, inconsiderate decisions,
  • pointing out alleged obligations of the victim,
  • exploiting attractiveness or sympathy,
  • pretending to have authority over the victim and
  • claiming that everybody is doing something that the victim should also do now.

Oliver Schonschek
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.