We’re still too young for the grandparent scam. We don’t fall for e-mails with strange senders. CEO fraud cannot happen with us. We are only active in the country. The justifications and excuses can be supplemented at will.
“Fact is: Social engineering affects us all!”
Handicrafts of antiquity modernly processed
The art of social engineering is as old as mankind itself. Man tries to make his interests palatable to his counterpart. In principle nothing bad. Think of the nice service in your favourite hotel. There they want you to feel comfortable and so that you will come back in the best case. In the business world, we try to convince each other with the best arguments, packaged so that the counterpart is happy to accept them. Not to mention in politics.
The media reports on fraud schemes in which social engineering plays a role are more topical than ever. In discussions with my clients, I often hear that social engineering is an IT problem when we determine the facts or develop preventive measures in risk and fraud management. It is not. However, I can understand why this impression is widespread.
“The reason is that the art of social engineering makes use of technology.”
Phishing, Spearing, Whaling, Spoofing – you got it?
The fraud patterns of white-collar crime are manifold and are presented in the so-called “Fraud Tree” of ACFE. Many of these fraud patterns require a certain amount of social engineering. Wherever interaction with people must take place in order to achieve the intended goal. For this purpose, the social engineers use the technical possibilities by making contact via e-mail, SMS, WhatsApp and telephone. Not to forget all the other channels we could use these days.
Whether the social engineers get access to sensitive data such as customer information or trade secrets, or spy on the Achilles heel of companies for months on end – they will do everything they can to deceive you and your team in a first step. How? This shows the often-used creativity of the scammers. Depending on the target subject and the intention, the procedures differ, such as phishing (large target mass), spearing (dedicated target subject), whaling (dedicated target subject in high function) and spoofing (contacting via telephone).
“Social Engineers gain their trust through behavior and appearance.”
Abuse of trust: malicious versus benevolent intentions
First and foremost, it is important that the target subject – yes, you and your organization become the target of fraudulent intentions – feels safe. It can thereby build trust. A person wants to be able to trust. Trust decreases stress and our ancestors already knew that a permanent state of stress reduces performance.
Depending on the defined goal, the Social Engineer has and takes his time. Because it will be worth it. In the context of good-will social engineering, we are patient until our worshiper is ready for joint plans. Putting pressure on them would be counterproductive. The same applies to malicious social engineering.
“The only difference between malicious and benevolent social engineering is intention. “
Exposure, the most effective prevention
As mentioned at the beginning. Social engineering is not a technical risk. The risk factor is the human being. The attacker is a human being. A human being (target subject) is manipulated. The most effective prevention regarding social engineering and the associated fraud patterns such as CEO fraud, grandparent scam, espionage, etc. is sensitization.
You and your team will expose the malicious social engineers by looking through the most common patterns. We humans learn by observing. For this we need exercises and trainings that enables us to experience the behavior of social engineers. This can be based on practical examples and the practice of an emergency.
Pay special attention this week to where are you be manipulated with good intentions and hopefully never maliciously. Hold an internal competition to see who discovers the most situations and have them collected. With this simple measure you will sensitize your organization and discover weak points. The investment is small and worthwhile.
PS: You don’t find any practical examples in your organization? May one of my next events fit? If not, you know where to find me.