Nikolaos Kolaitis *

21st century, the century of information. In today’s society, information plays a supreme role in human life and more specifically in business. Information is now being exchanged at a very fast pace and, owing to the means through which it is now available, vast amounts of information are exchanged.

What does the term “information” mean? It is worth noting that the conceptual approach of the term indicates the multiplicity of the semantic spectrum of “information”, thus revealing the various characteristics of what constitutes information. Two definitions are:

1. A) 1) Anything of interest to someone and that one would like to know; in particular anything unusual, uncommon or expected is said to someone.

2) Any information transmitted from a source (via information, etc.) to a receiver.

3) The content transmitted through various media (GEORGE D. BABINIOTIS, Dictionary of the Modern Greek Language: With Comments on the Correct Use of Words, Athens: Lexicology Center, 1998).

1. B) Any element of knowledge or judgment that is transmitted with the help of speech, sound or image, as well as through all the symbols understandable to people, in order to inform them about an event or topic (EMM. KRIARAS, New Greek Dictionary of Modern Primary Language, Written and Spoken, Athens: Ekdotiki Athinon, 1995).

Also read: Quantum computing and cryptography | The key to achieving resilience, technological sovereignty and leadership

As a concept information has always been used, nevertheless the amount of information produced is a concept that has varied over the years; a variation in terms of the ‘position’ and the ‘role’ of information within the framework of all our social activities to such an extent as to live ‘the Information Age’ today. The evolution of society in relation to the evolution of technology and science, and vice versa, have led to the rapid production and use of information.

The Information Age essentially involves the social and economic development that comes from the processing, acquisition, storage and transfer of information so as to create knowledge that meets needs at all levels. Levels ranging from economy to national security.

Bacon stated that “knowledge is power” in Information Societies. Information is power, while the acquisition of power through information can be achieved through legal as well as illegal means. So securing “valuable information” against interception is as important as ‘physically’ securing and preventing a bank from being stolen. What if personal data, business data or national security data are stolen?

This article deals with the crime of Social Engineering. According to Interpol, Social Engineering is considered to be a fraud crime.

Also read: Europol | The DarkMarket, the world’s largest illegal dark internet market, has been taken down

“Loose lips sink ships“. The phrase comes from the American posters of World War II whose purpose was to inform the civilians and especially the soldiers to avoid reporting any information about the routes of the ships, as it could be intercepted by the enemy and its secret agents. Apart from the literal protection of ships, this had to do with the general effort of the State to promote the awareness that in no case should any information that could jeopardize military missions, strategies and especially national security be disclosed.

“The stronger the security chain links, the more easily can people weaken under certain conditions”.

The most effective interpretation is given by one of the most famous hackers and social engineers – and after his release – ethical hacker and security consultant, Kevin Mitnick, who states that Social Engineering is the science by which a person can skillfully manipulate and deceive in order to gain a more “intimate relationship” with another person – who works for an organization or otherwise – in order to provide information that he/she covets. As will be demonstrated below, Social Engineering uses multiple tools and techniques. Nevertheless, Psychological Manipulation is one of the most important.

Social Engineering and Psychological Manipulation techniques probably date back to the time when speech was initially used as a means of communication. Such policies of social engineering and manipulation, for example, were strongly presented in authoritarian regimes in the 1920s and in the transition from Tsarism to a New Soviet Union when the Soviet government launched a campaign to radically change the behavior and ideals of Soviet citizens in order to replace the outdated social contexts of the Russian Empire with a new Soviet culture and the formation of the new Soviet.

Also read: Cyberattack on CNA | What the Digital Security Authority says

There are two (2) basic types of Social Engineering: Mass Fraud aimed at large groups of people and Targeted Fraud against individuals and businesses.

The main goal of the perpetrator is to have access to information in order to gain access to various systems or more general yet important information with which they will possibly commit business espionage, espionage, account theft, identity theft, confidential documents theft, sabotage, blackmail through stolen information or ransom through stolen information. The list is long. The method mostly follows four (4) basic steps: information gathering, relationship development between attacker and victim, victim exploitation and finally plan – “attack” implementation.

In his book “The Art of War“, Sun Tzu states that “all war is based on deception”. Social engineering is based on basic principles that govern human behavior and often define the latter so as to manipulate such principles accordingly.

The principle of Reciprocity has to do with the individual feeling obligated to help fellow people.

The principle of Power has to do with the individual and their tendency to respond to other persons who hold or invoke, in this case, positions of ‘prestige’.

The principle of Social Proof has to do with the individual and their tendency to perceive other people with common interests as role models.

The principle of Value and the tendency of the individual to evaluate some rare things as of greater value in contrast to more ‘common’ ones.

The principle of Consistency and Commitment and the tendency of the individual to try to maintain the image and the data for himself.

A common variable of attacks is that the victim is mostly in a “comfort zone”, in a familiar environment, whether this is their home, office, phone or computer.

A common social engineering technique is that of “Pretexting“. In this technique, ‘prestige’ and ‘power’ are used as a lever to exert pressure on the victim, pretending to be a superior at work, the police, a bank, public services and more. More specifically, a virtual scenario is often used over the phone for the “perpetrator” to obtain various information. So, taking advantage of ‘basic’ information such as one’s father’s name or their place of birth, using pretexting they end up extracting more important information such as bank account information. This technique is often used to target bodies through their members in lower positions. The three (3) components commonly used so that this technique is effective are the right tone, right gender and preparation (knowledge of any ‘additional’ information).

Also read: Digital Security Authority | Participation in international network for the protection of the Cypriot cyberspace

“Phishing” is another common and topical technique in which the “attack”-contact is the email or even the text message on the phone. One example might be the social engineer presenting himself through a legitimate company which the victim works with. Usually, there is an emergency in terms of some details missing or details that have expired and need to be re-registered. So the victim is referred to a virtual link which has been created by the “phisher” so as to look like a legitimate site (logos, communication methods, headquarters addresses, etc.).

Another technique for obtaining ‘additional’ information is that of ‘Dumpster Diving’ or ‘Trashing’. Any kind of information that seems useless to us is very likely to be discarded. These documents often have to do with clientele, accounting issues and more generally the “who”, “what” and “where” of a business, a household or a public service.

The truth is found in the statistics of the first half of 2019: there have been data breaches in 4.1 billion files (RiskBased), 71% of breaches were based on financial motives and 25% based on espionage (Verizon), 52% of violations involved piracy, 28% involved malware and 32-33% involved phishing or social engineering, respectively (Verizon). Another statistic comes from the founder of the antivirus company McAfee who stressed that Social Engineering became the main tool for 75% of hackers, with this percentage reaching 90% for the most famous and successful ones.

As in all Security matters, prevention is the Supreme Defence. The main prevention methods have to do with three (3) main pillars: the training and information of the staff, the research on the company’s penetration testing, internal drills and mainly the creation of policies and procedures for security and information management.

Jaron Lanier – who is considered the founder of the virtual reality sector – typically stated that “it is impossible to work in information technology without also engaging in social engineering.”

Social Engineering targets information, regardless of its form. It is a crucial fact for the information society and a matter of supreme security for all bodies, services and organizations.

* BA, MA, DipSec, CCO

Also read:  

** The opinions and/or comments expressed in an article are those of the author’s and/or visitor’s/user’s and may not constitute an opinion and /or position and/or be endorsed as such by the company and/or the website administrators. For more info please refer to the terms of use of the website.