Social Engineering - Die Psychologie des Angriffs

Social engineering is the most dangerous attack technique in practice—because it bypasses the most difficult part of an attack: technical security. People are more vulnerable than firewalls.

Psychological Attack Principles

6 Cialdini principles as weapons:

1. Authority

"I'm the CEO, I need this NOW"
IT support impersonation: "Microsoft Security Team"
Government agency impersonation: "Tax office, urgent tax audit"
Protection: Always verify identity (call back using a known number!)

2. Urgency / Time Pressure

"The account will be blocked in 2 hours!"
"Transfer the funds NOW—the boss is in a meeting"
Goal: To disable critical thinking
Protection: Pause + Follow standard procedures

3. Scarcity

"Only you can still solve this problem"
"The offer expires in 10 minutes"
Emotional: Fear of missing out (FOMO)

4. Reciprocity

"I helped you, now I need your access code"
Returning a favor is human nature—and it’s exploited!

"Everyone else in your department has already agreed"
"Your colleague Max has already given me the login credentials"
Validation by others = psychological safety anchor

6. Sympathy / Liking

Attacker builds trust beforehand (LinkedIn Research)
Shared hobbies, same school, mutual colleagues
The more likable = the less critical

PHISHING (Email)

Mass phishing: widely distributed, generic bait
Spear phishing: targeted, personalized (more dangerous!)
Whaling: CEO/CFO as the target (higher permissions!)

Recognition criteria:

Sender domain: support@m1crosoft.com (no "o," but a "1")
Hover link: shows a different URL than the displayed text
Time pressure: "Act now!", "Account locked"
Attachment: .exe, .js, .iso, encrypted ZIPs

VISHING (Voice/Phone)

IT support scam: "I'm from Microsoft, your PC is infected"
CEO fraud: Impersonation of the CEO via phone call
Deepfake vishing (2024): AI-generated voice of the CEO - Example: $243,000 transferred after AI call (Hong Kong 2024)
Call center fraud: Bank call, "Security Department"

SMISHING (SMS)

DHL/Amazon package delivery: "Please pay customs fees"
Bank SMS: "Your card has been blocked" + fake link
OTP hijacking: "Please confirm the code we sent you"

PRETEXTING

Creating a fabricated identity/story
Example: Attacker poses as an IT auditor
- Schedules an appointment via email (fake domain)
- Shows up at the office: "I need to check your workstation"
- Downloads tool (keylogger) onto PC → gains full access
Slow build-up: Weeks or months before the attack

BAITING

USB drive in the company parking lot: "GEHAELTER_2026.xlsx"
60% of people plug in found USB drives (IBM study)
Bait: free software, cracked games (full of malware)
Countermeasure: Disable USB ports (GPO/BIOS)

TAILGATING / PIGGYBACKING

Unauthorized access by following someone in
Classic scenario: Hands full with a coffee cup → someone holds the door
Protection: Mantraporting, security gates, awareness

Business Email Compromise (BEC) / CEO Fraud

Most dangerous social engineering attack.

CEO Fraud Process

Preparation (weeks):

OSINT: LinkedIn → CEO name, travel plans (conferences!)
Domain registration: c-eo@deutschebank-noreply.de (similar)
Target: Identify CFO or accounting department

Attack: 4. Email from "CEO": "I’m at a conference, won’t be available" 5. "We have an urgent acquisition—transfer 250,000 EUR" 6. "Don’t talk to anyone else – NDA! Discretion is essential" 7. "Accountant confirmed: Account: DE89370400440532013000 – now!"

Escalation if questioned:

"Don’t you believe me? Then I’m disappointed in you"
Combination of authority and guilt induction

Global losses:

FBI IC3 2024: $2.9 billion in losses due to BEC
DACH region: Known cases ranging from €10,000 to €10 million

Protection:

Dual-control principle for amounts over €5,000 (policy!)
Phone confirmation to a KNOWN number
Do not call back numbers from the email!
Transaction limit for initial transfers to new accounts
DMARC/DKIM/SPF: Prevent spoofing of your own domain

What AWARE7 checks during SE tests:

Phishing Simulation (Email)

Industry-specific lures (tax refund, HR, IT support)
Measure click-through rate (Target: < 5%)
Credential harvesting test (Target: 0 credentials entered!)
Reporting rate (Target: > 60% of emails reported)

Vishing Test (Phone)

Call posing as "IT Support": Please provide username + password
Call posing as "Service Provider": "I need the Wi-Fi password"
Measurement: Who discloses information?

Physical Penetration Test (On-Site)

Tailgating test: Does the tester enter the office?
USB drop: Do employees insert found USB drives?
Dumpster diving: Internal information in the trash?
"Forgotten" laptop in the lobby: Is it turned in?

OSINT Assessment

What information about the company is publicly available?
LinkedIn: Employees, department structure, tools (tech stack)
XING: German companies are often very transparent
Job postings: reveal technologies in use
Shodan/Censys: Exposed systems = talking points for SE

Procedural Controls (More Important Than Training!)

Dual-control principle: all payments over X EUR
Call-back policy: always verify identity (check own phone book entry!)
Escalation path: "I’m unsure" → who to ask?
Need-to-know: sensitive info only to authorized personnel
USB policy: private devices prohibited (enforce technically)
Clean Desk Policy: no passwords on Post-its

Security Awareness Training

Not a one-time event, but ongoing (annual = too infrequent)
Gamification: phishing simulation with immediate feedback
Positive reinforcement: reward reports (never punish!)
Real-world examples: showcase industry-relevant incidents

Technical Controls

DMARC/DKIM/SPF to prevent spoofing of your own domain
Email banner for external emails: [EXTERNAL] in subject line
MFA: even if credentials are compromised → no access
Anti-phishing solutions: URL rewriting, sandboxing

Reporting culture

"Blame-free reporting": no one is shamed
Simple reporting process: 1 click in Outlook (Phish Alert button)
Confirmation email: "Thank you for your report—we are investigating"
Metrics: Reporting rate is the most important KPI (higher = better)