Selected social engineering techniques

1.2

History and importance of cybersecurity

Interesting

Social engineering is not a new concept – it existed long before the emergence of computer systems. Manipulation, fraud and deception of people are as old as humanity itself. However, in the context of modern cybersecurity, social engineering techniques began to be significantly applied, especially with the advent of the Internet and the mass use of information and communication technologies.

Key milestones:

1970s and 1980s – the beginnings of “phone phreaking”
One of the first known cases of social engineering was the circumvention of telephone systems using special sound frequencies. “Phone phreaks” such as John Draper (“Captain Crunch”) used technical knowledge and manipulation of operators to obtain free calls.

1990s – Kevin Mitnick and the era of social manipulation
Kevin Mitnick, one of the most famous hackers, used social engineering techniques to obtain access data and confidential information. He was known for being able to get company employees to unknowingly provide him with important data, often based on just a phone conversation.

2000–2010 – the rise of phishing and malware
With the massive rise of the Internet and email communication, phishing campaigns began to flourish, often targeting banking or login details. Attackers have used and continue to use forged emails that mimic communications from trusted institutions.

2010–2020 – sophisticated targeted attacks and spear phishing
Modern social engineering includes advanced techniques such as spear phishing, vishing, and attacks on organizations – BEC (Business E-mail Compromise).

2020 – present – AI (Artificial Intelligence) and deepfake social engineering
Deepfake-type forgeries, combined with artificial intelligence capabilities, can convincingly imitate the voice or face of a known person. Attacks are therefore much more targeted, well-thought-out and dangerous than in the past; they even allow manipulative communication to be automated.

Definition

Social engineering represents one of the most serious threats in cybersecurity.

Note

Its effectiveness consists in the fact that it primarily exploits human errors (the most common cause of security incidents is the human factor, not technical vulnerability), bypasses technical measures (even a technically well-secured system is vulnerable if it has a careless user), is flexible and adaptive (the attacker can adapt the strategy to a specific organization, victim or situation), and last but not least, undermines trust (successful attacks disrupt relationships in the organization and users’ trust in the systems).

Interesting

According to reports from security agencies, such as the Verizon DBIR (Data Breach Investigations Report) or ENISA (European Network and Information Security Agency), more than 90 % of successful cyber-attacks begin with social engineering. Phishing and BEC attacks are among the most common forms of attacks on companies and institutions. Subsequently, the increase in the use of artificial intelligence and deepfake technologies significantly increases the threat level.

Disadvantage

What are the consequences of ignoring the above-mentioned threats? Primarily, there may be loss or leakage of sensitive data, financial losses or reputational damage. Furthermore, there may be disruption to the organization’s operations and loss of customer trust. Last but not least, there may also be legal and regulatory sanctions in the event of a data leak, e.g. in connection with GDPR (General Data Protection Regulation).

Summary

Social engineering is currently a phenomenon that is constantly adapting and developing, hand in hand with the development of technology. Its importance in the field of cybersecurity is constantly growing, which is why it is crucial not only to deploy appropriate technical measures, but above all to educate users and improve their security literacy.