Social engineering: How cybercriminals trick us
Internet Risks
Emails that threaten to delete our data, text messages announcing that we’ve won a big prize, or Facebook friends who might be the love of our lives – unexpected online encounters are seldom what they seem. Find out more about internet scams, how cybercriminals ensnare their victims, and what you can do to protect yourself.
What is social engineering?
Social engineering is a technique used to scam people. Criminals use psychological tricks to mislead us in order to convince us to divulge confidential information, to get us to send them money, or to gain access to the IT networks of the companies we work for. The method of attack is always aimed at taking advantage of certain patterns of behavior. In this context, you could replace “social engineering” with “influencing people’s behavior” or “social manipulation’’.
«My account is going to be deleted in five minutes?!»
How does it work?
In certain situations, we react without questioning our own responses. Especially when these situations involve powerful emotions such as stress, fear or love: “My account is going to be deleted in five minutes?!” “This IT expert needs my password?!” “The love of my life, whom I met online, needs money so she can take care of a sick child?!” When criminals are able to successfully disguise themselves as other people or as companies, they can put us in situations where we are vulnerable or feel obligated to do something that will end up harming us.
How to spot a social engineering scenario
Criminals use psychological tricks to manipulate us. To this end, they always play on our emotions in a way that puts pressure on us and inhibits our ability to think critically. Always be skeptical when you receive any emails or phone calls with the following key characteristics:
- Threats: If you don’t do X, Y will happen!
- Urgency: You need to act now!
- Exclusivity: This offer is just for you!
- Requests: I need help!
Common scenarios
Fraudulent web shops – too good to be true
Everyone is looking for a great deal or the chance to get an exclusive discount. Criminals take advantage of this fact. They run web shops with tempting offers.
“Get a new iPhone for an incredible 50% off! Today only and exclusively for you!”
Name-brand sneakers for just CHF 20? A designer bag for 40% off? Sounds amazing! These deals are usually only available for one day or even just for an hour. In this way, criminals try to create stressful situations so that we will jump on this one-of-a-kind offer.
We click and enter our credit card information to make a payment. Unfortunately, that bargain will never arrive.
Read more: Online shopping
Romance scams – we like to help the ones we love
When the people we love are in need, we’re happy to help them unquestioningly. Criminals take advantage of this willingness to help. Disguised as a soldier or a doctor deployed abroad, they win our hearts and earn our trust by writing us loving online messages over a long period.
Finally, it’s time to meet offline. But before that happens, the love of your life tells you that their niece needs an operation that will be very, very expensive.
“I think about you all the time and I can’t wait to finally meet you. Unfortunately, I need to wait until my niece has her operation. It’s major surgery and it’s very, very expensive...”
The victim is in love and wants to help, so they’re more than willing to offer financial support to this person’s family.
Read more: Romance scams
CEO fraud – beware a bogus boss
Criminals threaten us with negative consequences if we do not act immediately and without hesitation.
Your manager is on vacation. At the end of the workday, you receive an email telling you to pay the attached invoice immediately (!). If you don’t, the company will lose a client.
“I cannot be reached by phone at the moment, but it’s extremely important that you make the payment this evening before you leave the office! Otherwise, you will lose this client! Please keep this matter confidential!”
Your manager would do it themselves, but they aren’t in the office at the moment and were unable to reach anyone else this late in the evening.
But: The client’s email and the account information are fake.
Read more: CEO fraud
At first, every victim is suspicious or unsure if they should trust
Criminals use the following techniques to eliminate any doubts:
- They claim to be a trustworthy person such as a woman, a senior citizen, a police officer or a boss or manager.
- They involve family members, acquaintances or respected persons in the scam in order to confirm the situation/the urgency.
- They send fake copies of IDs or passports, or falsified documents such as delivery slips, tickets or contracts.
- They assure that the money that you transfer makes it to a “secure account”.
- They involve fictitious businesses like delivery services with real websites
What should I do? – Breathe. Reality check. Verify.
Breathe: Whenever you get something urgent, take a deep breath before you react. Think for a minute before you click any links or transfer any money. Take a reality check!
Reality check: If something seems too good to be true, then it probably is – especially on the internet. Ask yourself whether the request or offer that you’ve received via email or by phone is realistic. Did I buy a lottery ticket? Would a designer ever sell their bags for such a low price?
Verify: If you’re still not sure after the reality check, then verify the situation. Is it a suspicious message from your bank? Then call your bank. Is it a message from your boss? Then talk to them. Or perhaps you received an invoice or a contract from a company you are familiar with? Then contact that company.
Has it already happened? Don’t panic.
You transferred money?
- Talk to your bank.
- Stop all communications with the cybercriminal.
- File a complaint with the police.
You gave them your password?
- Change your passwords.
- Start your antivirus software.
- Talk to your IT department.
Real-life cases
Companies experience financial losses – AMAG and Emile Egger
The Swiss company Emile Egger fell victim to a “CEO fraud” scam, and the IT network of the car importer AMAG was hacked using a malicious email attachment. In both cases, the damages were in the millions.
Read more (german): SRF: Raubzüge der Online Betrüger
True love?
A woman from Zurich was scammed out of CHF 180,000 by the person she thought was the love of her life. She was the victim of a “romance scam”.
Read more (german): Tagesanzeiger: Er gaukelte der Zürcherin Liebe vor, sie verlor 180'000 Franken
Twitter Hack
In July 2020, 130 international celebrities’ Twitter profiles were hacked. Twitter called it a coordinated social engineering attack that was targeted at employees with access to internal systems and tools.
Read more: BBC: Twitter hack: What went wrong and why it matters
Additional information
Definition of Social Engineering
WikipediaInternet Schutzbrief
TCSMore about Social Engineering
eBanking but secure!More about Phishing
eBanking but secure!Test your knowledge in the Phishing Test
eBanking but secure!More about CEO Fraud
eBanking but secure!More about Investment Fraud
eBanking but secure!Current cases and common phenomena
Cybercrimepolice (german)