12.10.2023 - The term "hacker" is often used in connection with cyberattacks. It is easy to have the impression that attackers primarily penetrate companies' IT systems through technical vulnerabilities – but this impression is misleading. In many cases, malware enters a company's system through its own employees because they have become victims of social engineering. For this reason, it is important that employees know the attack methods involved in social engineering and how they should behave in the event of an attack. Companies therefore sometimes use professional social engineers to raise employee awareness.
A study published in May 2022 by Lucerne University of Applied Sciences and Arts, Mobiliar and Economiesuisse showed that cyber-risks are often treated as a purely IT problem. However, social engineering methods can also make employees a weak point and thus a security risk. In social engineering, criminals obtain information about the company or organisational structure in advance. This is done using publicly accessible information that can be found on a company's website, for example. Based on the information they obtain, the attackers select a target person and confront them with a tailor-made scenario. The attacks are usually carried out by email (phishing) or telephone (vishing). The victims are made insecure by invoking factors such as urgency, authority, bottlenecks or financial disadvantages unless they act as desired.
However, social engineering does not take place solely online. Often, attackers also gain physical access to a building and restricted areas by following an authorised person and posing as maintenance staff or suppliers, for example. This is also known as tailgating. Most often, a tailgating attack involves a random act of kindness, such as holding the door open for a visitor without ID or an unknown person pretending to be an employee, courier or technician.
Companies sometimes hire professional social engineers to raise employees' awareness of social engineering. They act like attackers do, disguising themselves as caretakers or suppliers, for example, and gain access to the building. To provide an insight into the exciting work of a professional engineer, the NCSC is organising a brown bag lunch with Ivano Somaini on 19 October.
Interested parties can register here:
The presentations are held in German.
Tips
- Do not trust every caller or email.
- Do not allow yourself to be intimidated or put under pressure.
- Never disclose passwords or PINs on the phone or via email.
- Do not disclose business information to strangers.
- End implausible calls immediately and delete emails with obscure content straight away.
- Approach unknown persons on your premises.
Further information:
Last modification 12.10.2023