Social Engineering • Digitalführerschein (DiFü)

Good virus protection and regular updates help fight malware, but hackers don’t just rely on software vulnerabilities. They also use simple psychological tricks referred to as social engineering.

Social engineering is an umbrella term for many types of fraud and deception:

the man on the phone who pretends to be a bank employee and asks for your account details
an email that supposedly comes from a colleague asking for quick help in editing the attached Word document
a message from the head of another department in the office requesting an urgent bank transfer

Social engineering online usually takes the form of phishing. Here you can find out phishing, and how to protect yourself from it.

Vor einer Figur ist eine Angel mit einem Fisch am Ende der Angelschnur.

Phishing is a modern term combining the words “password” and “fishing.” Phishing attempts usually aim to obtain sensitive information such as login data for websites, credit card numbers, or access codes for online banking.

Most phishing attempts come in the form of email, sometimes disguised as legitimate messages from trustworthy sites. However, you may also encounter phishing attempts by websites, through video calls (“vishing”), or through SMS messages (“smishing”). A new scam features SMS messages with supposed links to track a package. Many users are not yet as careful with dubious SMS messages as they are with suspicious emails, which is why this scam has a high success rate.

Phishing emails often appear legitimate at first glance, using logos of banks or large companies such as Amazon or eBay in the messages. Phishing scams are particularly conniving because they are often presented as services to fight online fraud. They warn you that your data has been compromised, or one of your online accounts has been hacked, then prompt you to re-enter your credentials or click on a link they supply in their email.

The following points can help you recognize phishing emails:

To enhance readability, emails often only display a sender’s name without showing their entire email address. To find the sender’s email address, click on the icon next to their name, which might be an arrow symbol or a button labeled “Details.” By clicking here it is often possible to see if the sender’s email address really matches who they claim to be.

Other questions you can ask yourself to recognize phishing:

Did you get an overly tempting offer without being asked that seems too good to be true? Well, it probably is.
Is the email from a payment service provider or a company you don’t have an account with?
Does the email refer to an order, an open invoice, or a contractual matter that you have no knowledge of?

Phishing is part of everyday digital life, and the fact that scammers have somehow obtained your email address and are now trying to scam you is above all annoying. Here is the best way to deal with phishing emails:

Spam Filter

Many phishing attempts don’t even get through to you. Most email providers have a filter that blocks suspicious emails or automatically moves them to a spam folder. Open your email account and take a look at your “Spam” or “Junk” folder. They are likely full of dubious phishing attempts. No further action is required other than emptying the folders.

Questionable email subjects

If a phishing email makes it through your spam filter into your inbox and you can immediately tell from the subject line that something is off, simply delete it.

Clues in the email

In some rare cases, even opening a phishing email can pose a slight risk. If you’re unsure about an email, simply delete it without opening it. The majority of phishing attempts occur in the text or attachments of an email (i.e. as soon as images are downloaded or links or attachments are clicked). So take your time and look carefully for signs of deception once you have opened the email. If the email still seems suspicious, delete it immediately.

Asking on the internet

Are you still not sure? You can try searching the web for the supposed sender or the exact subject of the mail. Has one of your accounts allegedly been hacked, or were you asked to confirm your login details? Then type the provider’s web address by hand into your browser’s address bar and log in manually instead of clicking on the link provided in the email. If you’re still unsure, and it appears the email might actually come from a provider that you use, call their customer support desk to confirm this.

Ask the sender directly

Have you received an email from an acquaintance that somehow sounds strange? Short sentences (“Do you remember this photo?”), strange wording, or unexpected messages with links or attachments are always warning signs. When in doubt, simply call the person directly and ask if they really sent you an email. This is also helpful because it may tip the person off that their account has been hacked or compromised in the first place.

Did you accidentally click on a link in a phishing email? Don’t worry, these things can happen. Here’s what you can do to be on the safe side:

Inform others
Be open about being a phishing victim and try to warn others. The faster and more proactive you react, the better.
Change your password
If you’ve revealed your online account login information, change it immediately and create a new password for the account.
Inform the provider
Contact the relevant provider and let them know that your login data has been stolen. If necessary, your user account will be blocked, which is especially important when money is involved (such as online banking, payment services, or credit card accounts).
File a complaint
To be on the safe side, think about getting the police involved if the scammers try to steal your identity and shop online with your account details.

E3 | Social Engineering

1. What is Social Engineering?

2. What is phishing?

3. How do I recognize phishing?

4. How do I react to phishing attempts?

5. What to do if you fall victim to phishing?