30. Apr 2025
Social engineering: the art of manipulation in the digital world
What is Social Engineering?
Social engineering describes the targeted use of psychological manipulation techniques to persuade people to disclose sensitive information or carry out certain actions. The trust or carelessness of the victim is often exploited. In contrast to purely technical attacks such as viruses or malware, social engineering uses the human component as a gateway.
The psychology behind social engineering
Social engineering is based on the ability to influence human behavior. Techniques such as neuro-linguistic programming (NLP) or imitating body language are used to build trust and facilitate manipulation. Attackers often exploit emotions such as fear, urgency, or curiosity to persuade their victims to take action. Knowledge of personal data, such as interests, hobbies, or personal relationships, can also facilitate manipulation and strengthen trust or lead to dependency.
Typical attack methods
Social engineering includes a variety of techniques that can vary depending on the target and context. Here are some of the most common methods:
Phishing and its variantsDeception via email, phone call, or text message
- Phishing: Deceptive emails or websites that trick users into revealing their login details.
- Spear phishing: Targeted attacks on specific individuals or organizations.
- Vishing: Fraud via telephone calls.
- Smishing: Manipulative text messages.
- Whaling: A special form of phishing that targets high-ranking executives.
PretextingSupposedly trustworthy persons
Attackers pretend to be trustworthy persons in order to obtain sensitive information. A well-known example is the case of Hewlett-Packard, where private investigators posed as telecommunications employees in order to obtain connection data.
BaitingMalware via USB stick or QR code
Baiting describes the placement of manipulated USB sticks containing malware in public places. One example is the FBI case against Silk Road, in which suspicious persons were monitored in this way.
Another possibility is the placement of QR codes whose links redirect to malicious code or phishing pages. Clever placement, for example at vending machines or in front of canteens, as well as pasting over QR codes of legitimate campaigns, makes detection more difficult.
Likewise, prizes or gifts, usually in digital form, such as free songs or apps, can be offered by email, telephone, post, as a pop-up in the browser or by other means. Redeeming them can then lead to the installation of malware or data leakage.
TailgatingUnauthorized access
Unauthorized persons gain access to secure areas by "attaching" themselves to real employees. One such attack was documented at JPMorgan Chase in 2014.
Keyloggers - hardware that is inserted or installed between the keyboard and PC to record input - can be placed on accessible devices. For example, a person could pretend to be a technician and gain access to rooms by presenting a professional appearance and pretending to be carrying out a repair job. They can then gain access to areas with computers and install a keylogger there unobserved.
ImpersonationIdentity theft
Cyber criminals use deepfakes and stolen personal data to manipulate financial transactions, for example, as in the case of Uniper, where a fake CEO voice stole €220,000. In the private sector, impersonation often occurs as a "grandchild trick".
Open-source intelligence (OSINT) methods, i.e. the exploitation of publicly available information, are used to collect and use data about the impersonating person. This can be, for example, images on the web, such as the company website or social networks, but also from interviews uploaded to video platforms or social networks. Additional personal information can drastically increase the success of such an attack. It forms the basis for training AI models, but an attacker can also use this information in the traditional way to generate trust and simulate authenticity.
Dumpster DivingSearching through garbage, letterboxes or unattended devices
Searching through paper waste or other places, such as notice boards or open letterboxes, but also looking over the shoulder or through unlocked, unattended devices for sensitive information.
Quid pro QuoQuid pro quo for information
The attacker or attackers offer something in return for information or access to systems and information. These vary greatly depending on the personal relationship and the victim. Such attacks can even lead to the development of personal dependencies.
HoneytrapFake friends
The attacker or attackers create a fictitious person and set up a fake online profile to befriend a victim. This attack is most common on dating platforms, but other communities of interest can also be used. Over time, the attacker builds up a personal relationship to the point of dependency, which is then exploited for further steps.
Diversion TheftInformation flow under pressure
The victim is tricked into sending or handing over information to a supposedly trustworthy source - often under pressure. An example of this is a call from a supposed banker with the information that, due to a cyberattack, the contact details of the bank's service center have changed and the victim should call there urgently to transfer the company's money to another account so that the attackers do not get it. An example from the private sector is the call to elderly people saying that criminal gangs are on the loose in the neighborhood, but that a police officer will be by shortly to collect valuables for safekeeping.
Protective measures against social engineering
Even if there is no such thing as 100% security, companies and individuals can minimize the risk by taking targeted measures.
Technical solutions
- Email filters: Spam and phishing filters that detect malicious messages.
- Multi-factor authentication (MFA): Additional layer of security, even if login data is compromised.
- Monitoring: Systems such as intrusion detection systems (IDS) monitor unusual activities. User and Entity Behavior Analytics (UEBA) sound the alarm in the event of deviations.
- Technology: Restriction of authorized hardware. Disable interfaces that are not required: Block USB ports or limit to known devices. Lock devices when leaving and do not leave them unattended. Interfaces can also be physically blocked or disconnected.
Training and sensitization
- Regular training and simulations, e.g. phishing exercises, increase employee awareness.
- Restriction to a few, secure communication channels to make it easier to recognize suspicious contact.
- Reflect on your own behavior: What information do I share and where? How can this information be used against me? How traceable is my own behavior for others?
Identity and access management
- Access only for authenticated users with minimal rights.
- Single sign-on (SSO) reduces complexity and makes it easier to respond in the event of an attack.
- Share as little personal informationas possible on social networks and other platforms.
- Passwords for personal contact: For example, the managing director can agree a code word with the finance department that is used for urgent payment instructions by telephone. But the granddaughter and grandpa can also use a password if they need money in an emergency during their trip to Asia.
- 4-eyes principle: One person at a time only has part of a password or key. Access is only possible with the part of another person. The two parts should only be used once each.
