How is social engineering successful

Anyone could fall for these 5 social engineering examples!

These social engineering examples show how successfully criminals can use interpersonal influence to achieve their goal. It can be the handing over of hardware or access to buildings. There are many incidents that confirm that these attacks are being carried out in practice. It is assumed that the number of unreported victims is many times higher.

In order to be prepared for the advanced social engineering attacks, we took the trouble and picked out more sophisticated attacks. Social hacking is also used in social engineering. However, the approach taken by professional attackers is more extensive.

It's partly about faking identities and getting free services. However, breaking into IT systems is also one of the criminals' goals.


  • Register now for our free webinar!

    Emergency plan & awareness - better before an emergency!

    Now free of charge Sign in
    May 28th, 2021 from 10:00 a.m. - 10:30 a.m.
    Non-binding, free of charge and can be canceled at any time!



    Example 1: Shoulder Surfing & Dumpster Diving

The first social engineering example has little to do with IT systems. The bigger problem is taking advantage of the carelessness of the users. In shoulder surfing, usually in public spaces, the target person looks over the shoulder.

The laptop is not always secured with a privacy film when working. In this way, people sitting next to you can collect valuable information in order to prepare an attack.

But dumpster diving is also a very non-technical approach to successful social engineering attacks. It's about stealing trash cans. If sensitive information isn't shredded, it's the jackpot for the criminals.

Even the strip cut is not sufficient destruction for sensitive documents. A cross cut makes it almost impossible for criminals to recover the documents.

In order to successfully carry out a social engineering attack in a business context, preparatory work is necessary. A sketch for this is already shown in Example 1.

However, so-called pretexting can be used to increase the probability of an attack being successful. The main focus is on human emotions and needs:

  • Wishes like profiling, material gain
  • fears like fear of loss or rejection
  • Character traits like trust in authorities or helpfulness

The victim is contacted during pretexting. But the message picks up at least one emotion or need. The aim of the attacker is that the victim decides against the rational, correct action. The consequence can be the disclosure of sensitive information.

Those who put more effort into creating false identities as part of pretexting and, if necessary, also operate false profiles in social networks and on dating portals.

From the private context, the grandchild's trick is now a well-known scam in the form of pretexting.

  • Example 3: Call ID spoofing & voice manipulation

After extensive information has been collected and the first contact has taken place, the next step is to build trust and remove obstacles. The criminal pursues this goal to the suffering of the victims.

Call-ID spoofing is used, especially when fraudulent with money. The Caller ID is the telephone number of the calling person. With Call-ID spoofing, the phone number displayed for the person being called is manipulated.

The most successful fraud in the private context is police fraud. Strangers call 110 mainly seniors and give an excuse why cash or valuables have to be handed over. However, this approach also occurs in a business context.

Anyone who sends out a payment notice, especially if it is not the sender's usual e-mail, has only a slim chance of success. The chances are better if a call is announced in the email.

Calling the actual number of the person who originally owned that number increases the chances of a successful scam.

https://www.youtube.com/watch?v=lc7scxvKQOo&t

With the reduction of the voice quality and the limitation to the bare essentials, criminals drive successfully. Does the impersonated person have an extraordinary voice? Then it helps to use voice manipulation software. The first successful scams have now come to light.

  • Example 4: Reverse Social Engineering Attack

In the reverse social engineering attack, the victim is motivated to contact the fraudster. The creativity of the criminals is great on this point. The simple step would be to prepare an email informing you that the service provider for handling tickets has changed.

For this reason there is a new email and phone number. If the victim now opens a ticket, the “new” service desk is contacted. It is then agreed that the data that are causing the problem must be sent or the computer must be picked up by an external service provider.

  • Example 5: Watering Hole Attacks

The "waterhole" attack also relies on the victims' employees. The watering holes that the victim is supposed to fall for are on popular or highly visited websites.

If it is known that the employees of a company have to visit a website frequently, e.g. to open tickets, authenticate themselves or look up information, this can be used to prepare for a watering hole attack.

The popular website is being searched for a security vulnerability. A security hole that makes it possible to inject Javascript or set up redirects.

If the target group visits the website, the redirect placed is used to infect the victims with malware on the following website.

This procedure is complex and rarely found. But it is effective because third-party sources, popular and frequently used websites can rarely be blocked in company policies.

Extended social engineering examples that anyone can fall for - right?

The success of a social engineering attack depends on the attacker's effort. If professional attackers set out to attack with extensive monetary means, the chances are good that they will succeed.

The common phishing and spear phishing attacks have been avoided in this article - even if they can cause considerable damage, such as at Wempe or Norsk Hydro.


Categories of scam