02.10.2023 - The European Cybersecurity Month (ECSM) campaign is taking place in October. The annual Europe-wide initiative is organised by the European Union Agency for Cybersecurity (ENISA), together with the EU member states, and this year is dedicated to the topic of social engineering. As a cooperation partner of ENISA, the NCSC is taking an active role in the campaign. In order to raise awareness of social engineering among the general public, the NCSC has worked with various organisations to develop targeted content for young people, working people and senior citizens. The partner networks distribute all campaign material across Switzerland.
Cybercriminals are not only tech-savvy, but often also adept at manipulating their victims. Social engineering refers to the use of psychology and manipulation by cybercriminals to obtain valuable information or money. It exploits basic human characteristics such as desire, trust, curiosity, fear or respect for authority. Earning or surreptitiously gaining trust plays a central role in this. Chantal Billaud from Swiss Crime Prevention (SCP), who is confronted with this issue on a daily basis, provides information on the topic of social engineering.
Psychology and manipulation in the cybercriminal environment – an interview by the NCSC with Chantal Billaud of the SCP
What does social engineering mean?
Social engineering is a technical term that emerged with the advent of cybercrime. It refers to attempts by cybercriminals to manipulate human behaviour using various techniques, for example, to obtain people's data, gain access to their digital devices or obtain money from them.
How do you rate the current danger posed by social engineering?
Criminals have been using these techniques since the beginning of cybercrime. Experts repeatedly report that humans are the main weak point in cybersecurity: the danger is always present and acute. Therefore, raising awareness is very important. The more effective any additional technical protective measures are, the greater the obstacles to successful social engineering efforts will be.
What are the core issues involved in social engineering from a psychological and criminological point of view?These two questions cannot be answered independently of each other. The psychological perspective looks at the victim; the criminological perspective at the perpetrator. Victimology (hypotheses and theories on victimisation) is also part of criminology and thus both questions address the same issue: criminals trying to exploit human vulnerabilities in a targeted way in order to gain the desired access or information. Depending on the type of fraud, different vulnerabilities (core issue lies with the victims) are attacked using different types of manipulation (core issue lies with the perpetrators). The vulnerabilities range from yearning for love to pure greed for money. The manipulations range from simple spam with promises of winning a Spanish lottery to hours or days of spying on corporate decision-makers.
One aspect of social engineering is establishing a foundation of trust. How do cybercriminals do this?
Establishing trust is a prerequisite for successful manipulation. In contrast to technical hacking, fraudsters want people to perform an action that plays into the hands of the criminals. This involves processes such as communicating passwords, allowing computer access, clicking on links, opening attachments and using infected memory sticks. Similar to theft, hacking can be compared to classic burglary, and data theft by means of human manipulation can be compared to theft by con artists. For example, some criminals break down doors and others use nasty tricks to gain access. It is not only the knowledge and skills about how to establish trust that are part of social engineers' psychological know-how, but also understanding other ways of behaving that are suited to achieving the desired goal through manipulation.
Do you have a specific example?
We see examples of this every day. Every advance-fee fraud email involves social engineering methods, as does every phishing email and every contact request on social media from (beautiful, overly amorous, successful) strangers. A typical type of scam that uses manipulation as a core competency is the romance scam, also known as the love scam. Scammers focus their criminal energy on building trust and creating emotional dependency.
A specific example was highlighted in the programme Kassensturz Espresso: https://www.srf.ch/sendungen/kassensturz-espresso/multimedia-teil-1-honey-i-miss-you-so-much
In principle, it is always the same story: creating trust, winning the victim's heart, establishing emotional dependency, reporting an emergency, appealing to love and helpfulness, and demanding money so that people can finally get together. Exchanges can go on for months and even years!
Who are the victims of social engineering?
As already mentioned, everyone is confronted with social engineering on a daily basis. Whether the attempted manipulation leads to success depends on whether it finds an acute weakness. If the person also has little media skills or simply underestimates the possibilities of manipulation on the internet, successful fraud becomes more likely.
In short, it can affect anyone and everyone, because cybercriminals target their scams at a wide variety of weak spots. And who never has a weak moment? The SCP has written an article on this: https://www.skppsc.ch/de/wer-ist-anfallig-fur-betrugsdelikte/
How do cybercriminals choose their victims? Are there certain characteristics that cybercriminals look for when selecting their victims?
Here, too, an analogy can be made with burglary: burglars who are after smaller sums of money use simple burglary tools and every chance they get. Their attempts are relatively random and in some cases they get lucky quickly because of insufficient security, and other times they fail.
This is also how all spam works. The same attempts at manipulation and data theft are sent to countless people. Some fall for the scam, while everyone else deletes the messages.
When cybercriminals have their sights set on a big catch, they prepare more intensively, e.g. like a bank robber. In the case of CEO fraud, for example, a lot of preparatory work is often done by the criminals; they spy on the company's data, find out about the decision-makers in the company, etc. So the formula is the same as for classic crimes (and also for legal business transactions...): the greater the anticipated profit, the greater the preparation.
An additional point: criminals who work using spam or other mass requests start with little effort, but drastically increase their efforts – especially in social engineering – once a person has "taken the bait". In love scams, and also in investment scams, for example, the criminals invest a lot of time and energy in order to really catch their fish – hook, line and sinker. That means they write, call and try any means to convince the victim of the authenticity of their offer (bitcoin fortune or being able to marry a successful professor from Canada).
Is there a connection between victims' life situation and the likelihood of becoming a victim of social engineering (e.g. lack of money, prestige or physical/mental attention)?
As explained, matching a scam to what the victim is lacking is the key to success.
Victims of social engineering often feel ashamed because they have fallen for a perfidious scam. How do you respond to victims?
Yes, we see that too, especially with victims of love scams, where the financial loss is one thing, but the complete loss of trust in the other person and especially in one's own emotions is another. We try to make it clear to the victims that we know exactly how perfidious and professional cybercriminals are and that it can happen to anyone. Moreover, the police punish criminal acts and not the legitimate feelings of those affected. It is the criminals who should be ashamed, not the victims, but unfortunately we have no influence on that.
What are the financial and emotional consequences of social engineering?
The loss depends on the specific case. The emotional damage is greater when the victim has also made an emotional investment, which is usually worst in the case of love scams. There are now self-help groups for victims of love scams, and in very serious cases we recommend psychotherapeutic support.
Scams always involve a loss of money. How drastic this is depends on the amount of the loss in relation to the victim's finances as a whole.
The amount of loss is therefore always relative.
How can you recognise social engineering and how can you protect yourself from it?
This issue is too complex and variable to be able to give a blanket answer. The saying, "if something seems to be too good to be true, it probably is", can be used as a guideline. But what does this mean for a person who suffers from acute financial difficulties, is completely desperate and therefore jumps at an offer that promises the solution to all their problems? Rational thinking stops precisely at such times. This is why one piece of good advice is: when faced with very welcome and tempting offers – be it financial or romantic – always sleep on it before responding. To prevent this, criminals usually put pressure on people to act quickly. It is also always advisable to get friends and family involved, as they usually have a more neutral perspective on the situation. Googling is often helpful, too, because although scams change quickly, the web also reacts quickly to them and the first people to fall foul frequently post reports on the web. If you are unsure, you can also contact the SCP or the cantonal police.
What final message would you like to give to our readers?
Fraudsters will manipulate and misuse everything on the internet, and I really mean everything. And they do so in such a way that it is impossible for everyone to check for authenticity. With the use of artificial intelligence, this problem will intensify enormously. Therefore, a healthy level of mistrust is generally called for and, in case of doubt, ask specialists and trusted people from the real world.
Further Information
Last modification 02.10.2023
