Main Content

Social engineering

The image shows a mouse pointer clicking on a cat video. The text reads: Paws off from unknown links!
Image: Staff Unit Information Security

What is social engineering?

Social engineering is not a new master's degree at a technical college, but another method hackers use to try to get you to do things you don't actually want to do. As with phishing, the attackers usually target your credit card or account data, your passwords or other sensitive information such as yet unpublished research results.

The attacks are particularly perfidious because they exploit human weaknesses or mistakes rather than technical ones. They work by exploiting our willingness to help, our trust, or our respect for superior people.

In social engineering, the target is not your computer or smartphone, but you. An attacker typically spies on you first through your social media profiles, using all available sources to gather as much information about you as possible. Then, you receive a personalized e-mail with an authentic-looking request. For example, a supposed acquaintance might ask you for the latest results of an ongoing experiment for an important study. In all cases, the attackers are behind it.

Social engineering uses a variety of media: telephone, e-mail, text message, or direct message in an app. The attackers have set themselves up broadly. Many of us are familiar with the example of alleged IT support with a foreign accent who urgently needs to solve PC problems on your computer. All you have to do is install remote maintenance software and provide a password.

Another example is a technician who just wants to check the heating system and suggests that you go out for a cup of coffee. It is particularly helpful for them if you do not lock your computer and they can access your data.

A concrete example of social engineering at Philipps University

In the past, social engineering attacks at Philipps University often took place via e-mail. Here is a fictional example with real content of such a scam email:

The image shows an example of a scam email. In this case, an institute management asks the addressees for an urgent favor.
Text of a scam mail

We have marked in red where you can tell that there is something wrong with the e-mail. If you take a closer look at the sender's address, you will notice that the e-mail does not originate from Philipps University. This is often the case with fraud emails and reason enough to be cautious. You can find out how to recognize the actual sender of an e-mail on the page about phishing.

In the cases we have observed at Philipps University, the management of an organizational unit often supposedly asks employees to contact them urgently. Again, it is suggested that everything has to happen very quickly. When you reply to the e-mail, you are asked to buy voucher codes, for example, or to make a transfer to an account that the scammers kindly tell you about, or to hand over sensitive data such as account details or passwords.

How to protect yourself:

When it comes to protecting yourself from social engineering, it is primarily up to you, because you are the target of the attack.

  • Stay calm and don't react hastily, even if you think you have to act quickly. Take the time to think.
  • E-mail is an asynchronous communication medium. If the person in front of you needs something urgently from you, you would probably receive a phone call. Call your supervisor if you are skeptical and inquire if they actually wrote the e-mail. Don't be pressured - the few minutes it takes to return a call is also available to someone who needs money, documents or information in a hurry.
  • Make professional phone calls in appropriate places and better not on the bus, on the train or at the checkout in the supermarket.
  • Be sparing with professional information on social networks.
  • If you receive e-mails with file attachments you weren't expecting, ask the person you received the e-mail from personally or call them before opening the attachments.
  • Do not leave unknown people unattended in your office.
  • Lock your computer (Windows+L) as soon as you are not working on it and even if you only go to the toilet for a short time.
  • Attackers usually fake their sender's address, so: take a close look at who the e-mail really comes from.
  • No reputable support service will ever ask you for your password.

If it has already happened...

In stressful situations or with well-crafted phishing e-mails, it can happen that we get caught in the net by the attacker. It is then important that we react correctly and quickly to prevent greater damage. Therefore:

Immediately change your password for the concerned account! Afterwards:

Keep calm & report an IT emergency.
Please contact your IT administration and/or:

IT emergency phone number: 06421 28-28281
E-mail: it-sicherheit@uni-marburg.de