The rise of cyber attacks on businesses is one of the greatest challenges of our time. These attacks are increasingly insidious and are often difficult to detect at first glance. Victims of hacking face ransom demands and the loss of highly sensitive data. In the worst-case scenario, the very existence of the company is at risk.
In this threatening cyber landscape, the human factor is critical, as most cyber attacks exploit human weaknesses. Whether an attack is successful or not often depends on a company’s people. We therefore want to take a closer look at the following in this article:
Recent statistics from the European Union Agency for Cybersecurity from July 2021 to July 2022 illustrate the extent of the threat: with more than 10 terabytes of data stolen per month, ransomware Trojans are one of the biggest cyber threats in the EU, with phishing currently considered the most common initialization vector for such attacks. Denial of Service (DoS) attacks are also among the most serious threats.
These figures underscore the urgency for companies to strengthen their cyber defenses. According to a study commissioned by the German digital industry association Bitkom, data theft, espionage and sabotage will cost the German economy €206 billion in 2023. This will be the third year in a row that the damage has exceeded the 200 billion euro mark (2022: 203 billion euros, 2021: 223 billion euros).
Social engineering and human vulnerability
Cyber security isn’t just about computer systems and networks. Users of these technologies are at least as important. Social engineering allows perpetrators to target the human factor as the perceived weakest link in the security chain. According to the European Union Agency for Cyber Security, a whopping 82% of all data breaches in 2022 succeeded due to social engineering.
When advanced software, firewalls, and virus scanners fail, cyber criminals try alternative methods to get users to install malware or reveal sensitive information such as passwords.
Similar to doorstep scams, cyber criminals rely on pretending to have a personal relationship with the victim or luring them in with the promise of a prize. There are many variations of this approach, known as phishing. In some cases, indirect contact is even made through friends of the actual victim. Social engineering cleverly exploits human traits such as helpfulness, trust, fear, or a sense of authority to manipulate people.
Cyber criminals use social engineering to trick victims into revealing confidential information, bypassing security, transferring money, or installing malware on personal devices or computers on the corporate network.
Social engineering is nothing new and has been the basis of scams since time immemorial. But in the age of digital communication, criminals have new, highly effective ways to reach millions of potential victims.
Recognizing phishing emails
Probably the best known form of social engineering is phishing. Cleverly crafted emails often look deceptively real and are designed to trick people into clicking on a link in the email. On the fake website that opens, the user enters credentials that are intercepted by the attackers.
In addition to the mass sending of phishing emails, a more precise variant of this method, known as spear phishing, is increasingly effective. Here, emails are specifically tailored to small groups or individuals after prior research, which significantly increases the "hit rate".
Another sophisticated variant is CEO fraud, in which criminals attempt to manipulate decision-makers or employees in companies who are authorized to make payments. They pretend to be acting on behalf of the company's top management and attempt to initiate what they claim to be urgent transfers of large sums of money.
Recognizing phishing emails requires vigilance. Employee awareness training is essential to stay ahead of the ever-evolving scams and ensure data security.
There are clues that characterize fraudulent emails. These are almost identical in the personal and business environments. There are also special steps you can take to increase home office security.
1. Grammar and spelling errors
Emails with incorrect language are the easiest to spot. Often they aren’t crafted in the target language, but the email is a translation from the original language via an automatic translation service – the result of a machine translation often sounds strange or even incorrect. Other signs of such emails can be punctuation errors or the absence of umlauts. But beware: the increasing use of artificial intelligence and ever-improving machine translation accuracy, such errors either won't occur at all or only very rarely in the future.
2. Emails in foreign languages
Emails in foreign languages are also suspicious. German banks or organizations, for example, usually communicate in German. If you get an email supposedly from your bank in a different language, it's likely a scam.
3. Lack of a personal salutation
Legitimate senders, such as your bank or online payment services, will always address you by name in emails and will never use generic salutations such as "Dear customer" or "Dear user". But be careful: phishers often have access to your name and use it to address you personally.
4. Supposedly urgent action
If you receive an email asking you to act quickly or within a short period of time, you should also be suspicious - especially if the request is accompanied by a threat, such as an announcement that your credit card or online access will be blocked.
5. Request to enter data
You may be asked to enter personal information such as PIN, TAN, or password. Financial institutions never request personal information by phone or e-mail. This is one of the most important security rules.
6. Request to open files
An increasing number of phishing emails ask you to open a file that is either attached to the email or available for download via a link. If you receive an unexpected email, don't download or open such a file. They usually hide a malicious program, such as a virus or Trojan horse. Always be suspicious of emails that contain a file attachment.
7. Asking you to click on links or fill out forms
Only in exceptional cases do banks and other service providers send you emails with links that you are asked to click. They may email you to notify you of new terms and conditions, but never to ask you to log in to your account. It's better to visit the website yourself by typing the address directly into your browser's address bar.
8. Emails from unknown senders
Do you receive emails from a bank that doesn't normally send you emails or may not know your email address? Or are you being contacted by other service providers, online stores, or companies with whom you have no existing relationship? In these cases, you should delete those emails - but only if the scam is clear. However, if you've already clicked on a link or opened an attachment that may have infected you with a Trojan, you shouldn't delete the email as it is important evidence.
9. Verifying the trustworthiness of the sender
Some phishing emails are very well crafted. The sender's email address looks trustworthy, the link in the body looks trustworthy, and the language is correct. However, don't automatically assume that the email is authentic. Sender information and links in emails can be easily forged or even spoofed with look-alike characters like using a Russian Cyrillic symbol instead of a Western character. Careful checking is essential.
Tip for internal company email: Use the "sender check" with the Teams status if you use Microsoft Teams. If the status is missing from a supposedly internal email, you can assume it's invalid. But even if the email contains this information, it's not necessarily 100% safe. Double check with the sender via Teams chat instead of return email to be sure.
10. Link verification
Special attention is required if the destination of a link in the email doesn't match the displayed text. The link destination is displayed by hovering the mouse over the link. The actual destination is then displayed in a pop-up window.
Identifying the destination domain is crucial. To do this, analyze the components of the domain, i.e. everything between the protocol handler (https) and the first slash. What comes before and after the last period is particularly relevant: the domain name and the top-level domain.
If the link can be uniquely associated with the organization from which the email originated, the link is likely to be secure.
Determining the domain owner
If the link domain doesn’t clearly match the originating domain, tools such as who.is can be used to determine the true owner of the domain. Unfortunately, this isn’t possible for all top-level domains. For example, .eu domains can only be queried through their central registry. However, who.is usually provides information on where else the owner can be queried.
If the owner and the originating domain match, it's safe to open the link. If they don't, proceed with caution. When in doubt, contact the sender by phone, consult your company's internal contact person, or follow ISO guidelines.
External link check
If you’re still unsure after all the previous checks, perform an external malware and reputation check using tools such as the VirusTotal URL Checker. It's important to use the full URL and not just the domain. However, this tool should be used with caution as links may contain confidential information.
As a general rule, no technical protection measure is 100% secure.
The human security factor
The effectiveness of IT security is only as good as the people who operate the systems. Therefore, people should not be viewed as a potential security vulnerability, but as a shield against cyber attacks. More and more companies realize that IT security cannot be achieved through technical measures alone. Training personnel also plays an important role in protecting against cyber attacks. People aren't just part of the problem, they're also part of the solution. IT security affects every employee and every department in the organization.
Rapid detection of cyber attacks or social engineering attempts can prevent significant economic and intangible damage. Promoting appropriate awareness of the problem and security issues, as well as regular training, are therefore crucial preventive measures to strengthen the "human security factor".
Do you have any further questions or comments? Write to us - we look forward to hearing from you!
Data encryption and GDPR
Home office security - cyber attacks and how to protect yourself
