Are computer or telephone passwords really secret?

Cyber ​​criminals disguise themselves as company bosses

Always bolder: Cyber ​​criminals disguise themselves as company bosses
Image: The head of accounting at a Büdingen company stopped a transfer of more than 300,000 euros at the last minute. He had become suspicious shortly before. Because his boss, the alleged sender of the email with the transfer order to a law firm in Luxembourg, was actually on vacation. And the email address had a typo. This example of attempted fraud against business people via the Internet was made public by the police in Friedberg. According to experts, the scam is on the advance. The spokesman for the State Criminal Police Office (LKA), Christoph Schulte, warns: "That can drive a company into ruin."

Always bolder: Cyber ​​criminals disguise themselves as company bosses
Image: In so-called social engineering, criminals use personal information from the Internet primarily to get money, but also to find out business secrets. However, nobody knows exactly how many cases there are in Hesse each year.

Companies fear a loss of image

"Such an email in itself is not a criminal offense," explains the spokeswoman for the Friedberg police, Sylvia Frech. As long as things went well, as in the Büdingen case, many companies did not even turn to the police. But many of the damaged companies did not file a complaint either, according to the LKA. Out of shame or because of a feared loss of image.

Just as unclear as the extent is the amount of damage, says Schulte. Often the damage cannot be quantified at first because it is about business secrets or business processes.

"Social engineering" also includes criminals who want to spy on passwords or internal company data on the phone. Sometimes, according to experts, it is also about finding out the preferences of the called party. This is followed by e-mails disguised as information that are riddled with malware.

The President of the Federal Office for the Protection of the Constitution, Hans-Georg Maaßen, recently cited another example. Attackers were able to hack into a company because they were preparing the online menu of an Italian restaurant that the company's boss likes to visit. When he was still using his private computer for business purposes, it was too late.

Healthy distrust

An employee of a Friedberg company was immediately skeptical when he received an email from his superior about an allegedly very secret dossier about the takeover of a foreign company. There was talk of a nondisclosure agreement, the employee was highly praised and asked to only communicate on the subject via email, including with his boss. Since the sender of the unusual mail also contained a reversed letter in the name of the sender, the employee immediately turned to the company management and the police.

Where did the perpetrators get their information from? "Company appearances on the Internet mostly provide comprehensive information about the hierarchy in the company," warns the police. Mostly, employees would be emailed who are authorized to transfer money. "Any e-mail address can then be faked using anonymization services, which in the flood of e-mails of many company employees can quickly be seen as a real message from the boss."

Fraud hardly recognizable

The fraud is often difficult to recognize: a spelling error or a wrong signature does not always help. "The fraudsters' game with confidentiality also makes it difficult for employees to communicate with their colleagues, as they do not want to fall into the grudge of the supposed boss."

How susceptible social networks are to "social engineering" was shown years ago by the fictional character Robin Sage, says Schulte. The supposedly attractive woman was present on Internet communication channels such as Facebook, Twitter and LinkedIn for two months in 2009/2010. The result: "300 contacts, some of them high-ranking, from the military and business".

"More and more people can be reached on more and more channels on the Internet," says Schulte. Anyone who has 2,000 or 3,000 friends in social networks can easily lose track of individual contacts. The exchange via certain groups in social networks also poses a risk. Criminals could easily gain access and spy on internals unnoticed.

Why social engineering works

The LKA names several reasons why social engineering works: taking advantage of friendliness and helpfulness, obedience to authority, lack of awareness of dangers and lack of safety standards. And: "The victims feel taken by surprise and do not want to make mistakes in an unfamiliar situation." Many potential victims are also unaware of "how valuable the information is in their possession". There is no such thing as 100 percent security, but the general rule is: "Be careful with e-mails that come in unsolicited!"