IT security at the University of Bern

Social engineering: How cybercriminals trick us

Emails that threaten to delete our data, text messages announcing that we've won a big prize, or Facebook friends who might be the love of our lives – unexpected online encounters are seldom what they seem. Find out more about internet scams, how cybercriminals ensnare their victims, and what you can do to protect yourself.

What is social engineering?

Social engineering is a technique used to scam people. Criminals use psychological tricks to mislead us to convince us to divulge confidential information, get us to send them money, or gain access to the IT networks of the companies we work for. The method of attack is always aimed at taking advantage of certain patterns of behavior. In this context, you could replace "social engineering" with "influencing people's behavior" or “social manipulation."

My account is
going to be
deleted in five
minutes?!

How does it work?

In certain situations, we react without questioning our own responses. Especially when these situations involve powerful emotions such as stress, fear, or love: "My account is going to be deleted in five minutes?!" "This IT expert needs my password?!" "The love of my life, whom I met online, needs money so she can take care of a sick child?!" When criminals can successfully disguise themselves as other people or as companies, they can put us in situations where we are vulnerable or feel obligated to do something that will harm us.

How to spot a social engineering scenario

Criminals use psychological tricks to manipulate us. To this end, they always play on our emotions in a way that puts pressure on us and inhibits our ability to think critically. Always be skeptical when you receive any emails or phone calls with the following key characteristics:

  • Threats: If you don't do X, Y will happen!
  • Urgency: You need to act now!
  • Exclusivity: This offer is just for you!
  • Requests: I need help!

Common scenarios

Fraudulent web shops – too good to be true

Everyone is looking for a great deal or the chance to get an exclusive discount. Criminals take advantage of this fact. They run webshops with tempting offers.

"Get a new iPhone for an incredible 50% off! Today only and exclusively for you!"

Name-brand sneakers for just CHF 20? A designer bag for 40% off? Sounds amazing! These deals are usually only available for one day or even just for an hour. In this way, criminals try to create stressful situations so that we will jump on this one-of-a-kind offer.

We click and enter our credit card information to make a payment. Unfortunately, that bargain will never arrive.

Romance scams – we like to help the ones we love

When the people we love are in need, we're happy to help them unquestioningly. Criminals take advantage of this willingness to help. Disguised as a soldier or a doctor deployed abroad, they win our hearts and earn our trust by writing us loving online messages over a long period.

Finally, it's time to meet offline. But before that happens, the love of your life tells you that their niece needs an operation that will be very, very expensive.

"I think about you all the time, and I can't wait to finally meet you. Unfortunately, I need to wait until my niece has her operation. It's major surgery, and it's very, very expensive..."

The victim is in love and wants to help, so they're more than willing to offer financial support to this person's family.

CEO fraud – beware a bogus boss

Criminals threaten us with negative consequences if we do not act immediately and without hesitation.

Your manager is on vacation. At the end of the workday, you receive an email telling you to pay the attached invoice immediately (!). If you don't, the company will lose a client.

"I cannot be reached by phone at the moment, but it's extremely important that you make the payment this evening before you leave the office! Otherwise, you will lose this client! Please keep this matter confidential!"

Your manager would do it themselves, but they aren't in the office at the moment and were unable to reach anyone else this late in the evening.

But: The client's email and the account information are fake.

At first, every victim is suspicious or unsure if they should trust

Criminals use the following techniques to eliminate any doubts:

  • They claim to be a trustworthy person such as a woman, a senior citizen, a police officer, or a boss or manager.
  • They involve family members, acquaintances, or respected persons in the scam to confirm the situation/the urgency.
  • They send fake copies of IDs or passports or falsified documents such as delivery slips, tickets, or contracts.
  • They assure that the money that you transfer makes it to a "secure account".
  • They involve fictitious businesses like delivery services with real websites.

What should I do? – Breathe. Reality check. Verify.

Breathe: Whenever you get something urgent, take a deep breath before you react. Think for a minute before you click any links or transfer any money. Take a reality check!

Reality check: If something seems too good to be true, then it probably is – especially on the internet. Ask yourself whether the request or offer that you've received via email or by phone is realistic. Did I buy a lottery ticket? Would a designer ever sell their bags for such a low price?

Verify: If you're still not sure after the reality check, then verify the situation. Is it a suspicious message from your bank? Then call your bank. Is it a message from your boss? Then talk to them. Or perhaps you received an invoice or a contract from a company you are familiar with? Then contact that company.

Has it already happened? Don't panic.

Did you transfer money?

  • Talk to your bank.
  • Stop all communications with the cybercriminal.
  • File a complaint with the police.

Did you give them your password?

  • Change your passwords.
  • Start your antivirus software.
  • Talk to your IT department.

Real-life cases

Companies experience financial losses – AMAG and Emile Egger

The Swiss company Emile Egger fell victim to a "CEO fraud" scam, and the IT network of the car importer AMAG was hacked using a malicious email attachment. In both cases, the damages were in the millions.

True love?

A woman from Zurich was scammed out of CHF 180'000 by the person she thought was the love of her life. She was the victim of a "romance scam."

Twitter Hack

In July 2020, 130 international celebrities' Twitter profiles were hacked. Twitter called it a coordinated social engineering attack that was targeted at employees with access to internal systems and tools.

More on this topic