Social engineering - cybercrime or not?

[Father]

Social engineering is an insidious and manipulative art that can penetrate the most protected areas of our lives. However, how justified is it to call it a cybercrime? On the one hand, social engineers use psychological techniques and deception to gain access to confidential information and commit criminal acts. On the other hand, they reveal weaknesses in security systems and help improve their protection. Today we will look at aspects of social engineering and find out whether it is villainy or just the art of survival in the digital age.

What is social engineering and how does it work?​

Social engineering is different methods of manipulating people to obtain confidential information or encourage them to perform a targeted action. All methods of social engineering are based on the properties of the human psyche and the use of weaknesses. For example:

• instilling fear that disables critical thinking;
• creating a situation where a decision needs to be made very urgently;
• fear of losing money .

Using such methods to get important information is much easier than trying to find a vulnerability in a service or software.

Attacks using social engineering tools usually consist of two stages. First of all, scammers conduct research on their intended victim in order to collect all the necessary information. At this stage, the attacker tries to gain the victim's trust. After successful attempts to establish "good" relations, the criminal uses various tricks to get confidential information from the victim-passwords, CVC/CVV, access to accounts.

Social engineering is not a crime​

There is an opinion that social engineering cannot be considered a full-fledged type of cybercrime, since it is not related to the use of computer systems or networks to commit crimes. Instead, it focuses on manipulating people to gain access to their confidential information or perform certain actions. Although some forms of social engineering can be used in conjunction with cyber attacks, they are still separate types of criminal activity.

Vladimir Aryshev
STEP LOGIC Integrated Information Security Project Expert

Claiming that social engineering is cybercrime is like saying that a hammer is a murder weapon. Social engineering is often used by attackers at the initial stage of an attack, as one of its components, and in itself is not a crime. The crime will be an illegal action that will be committed through the use of social engineering.

Social engineering can even be beneficial. For example, it promotes the development of technical solutions and innovative approaches for protecting personal information and ensuring network security. It shows possible scenarios of fraud and deception, which helps to increase the level of information literacy of people and strengthen their protection against cyber threats.

Nikolay Senichev
Executive Director of CREDO-S Group of Companies

By themselves, social engineering methods cannot be unambiguously classified as cybercrime. Social engineering is a tool that can be used by both cyber defenders and cybercriminals. In unscrupulous hands, they turn into weapons and harm those against whom they are directed.

A classic example is phone fraud, which is based on the criminal's knowledge of the victim's personal data. In our practice, there were cases when using social engineering methods, attackers were forced to provide a password from the personal account of a mobile operator. Then they set up forwarding to their phone number, and then used it to get access to the banking app's personal account. And then-they issued loans and withdrew funds from the victim's account. Fortunately, the consequences are not always irreversible for the victims. In some cases, with the help of cybersecurity experts, they manage to defend their interests in court.

The study of social engineering and related attacks helps to change existing laws and regulations in the field of cybersecurity in order to better regulate the field of information security and punish cyber fraud. This approach helps ensure greater security on the Internet.

Kai Mikhailov
Head of Information Security at iTPROTECT

The use of social engineering techniques is more akin to fraud than cybercrime. However, they are often used in conjunction with tools, such as installing malware or luring out access data. The latter is just a cybercrime, but it can be committed without social engineering methods. For example, a company's website may contain files that can't be found through search, but they are accessible via direct links, without the need for any authentication. The average user may not know this, but a specialist with proper skill will have access to this information. This is akin to an outsider entering a house with the front door open. Just because it's open doesn't give you the right to enter. The same principle applies to information security.

In addition, for a crime to become a crime, it must be identified, identified,and punished. This is not always possible with social engineering methods. Therefore, information security specialists often consider social engineering not a cybercrime, but a tool that attackers can use for illegal purposes.

Why social engineering can be considered a cybercrime​

Social engineering can be considered one of the most dangerous types of cybercrime, despite the fact that it is not always defined as such. Unlike other forms of cybercrime, where the focus is on various hacking techniques and threats to information security, social engineering involves the use of psychology and manipulation to obtain sensitive information or access sensitive data.

Dmitry Ovchinnikov
Chief Specialist of the Integrated Information Security Systems Department of Gazinformservis

According to the Criminal Code of the Russian Federation, the use of social engineering methods to obtain illegitimate access to information is considered the same cybercrime as the use of technical means. From the point of view of the law, there is no difference in how exactly the attackers stole or obtained unauthorized access to the data. At the same time, many people simply forget that the whole art of hacking began with the methods of applying social engineering. And only with the development of operating systems, programming languages and increasing availability of personal computers and the Internet, hackers have firmly entered the use of software and technical elements for hacking.

In the digital age, when most of our personal, professional and financial data is stored and transmitted through computer systems, social engineering has become a very common and relevant type of cybercrime. In 2022, the number of crimes committed using social engineering methods in Russia increased by 40%.

Dmitry Pudov
CEO of NGR Softlab

Another argument in favor of the fact that this type of fraud is still a cybercrime can be called the international practice of insurance companies. If earlier the insurer could refuse coverage in case of losses due to an attack using social engineering, now crime policies increasingly include compensation points for such damage by default.

The practice of Russian courts, when phone fraudsters receive real sentences under criminal articles, also demonstrates that the use of social engineering methods is a criminal act. If such methods were used for malicious actions in the digital space, then they can safely be called cybercrime.

One of the most common tactics used by social engineers is phishing. This method consists of sending false emails or creating fake websites that look like official or trusted sources. In such cases, the victim, thinking that he is communicating with a reliable source, provides his usernames, passwords or financial data, which can later be used by attackers for their own selfish purposes.

Ivan the King
Developer of the Anwork business communicator

Social engineering tools are used everywhere not only by businesses to solve work tasks, but also by ordinary users in everyday matters: calling colleagues, relatives, acquaintances, making wholesale purchases and everyday purchases, sending data of various directions, etc. However, the use of social engineering methods used by malefactors to manipulate people in order to obtain confidential information, access bank cards and accounts, and blackmail is certainly a violation of the legislation of the Russian Federation and other countries. Phishing, fraud, fake calls to deceive people or introduce malicious software into their devices to collect and steal information are carried out through social engineering technologies.

Social engineering is also widely used in the field of hacking computer systems. Attackers can fake incoming information to gain access to secure systems or secret data. They use various deception techniques, such as sending fake emails posing as important members of the organization to persuade employees to provide them with information or install malware on their computers. For example, recently there was a story when a medical official received a letter from the supposedly Deputy Minister of Health. And then the false minister called herself and, according to tradition, tricked the official into transferring 2.3 million rubles to fraudsters. But it was the letter, designed according to all the rules of official document management, with seals and signatures, that played the main role here.

Thus, social engineering is a form of cybercrime because it poses a security threat. It requires perfect skills and an understanding of psychology to successfully manipulate people and get the desired information.

Dmitry Pudov
CEO of NGR Softlab

Information security experts often refer to social engineering as a manipulative attack using non-technical methods. In other words, the attacker manipulates the victim with the ultimate goal of circumventing the security settings or protocols of the organization's business processes and then performing malicious actions. In addition, some types of fraud, such as phishing and especially targeted phishing, already involve the use of social engineering.

Another argument in favor of the fact that this type of fraud is still a cybercrime can be called the international practice of insurance companies. If earlier the insurer could refuse coverage in case of losses due to an attack using social engineering, now crime policies increasingly include compensation points for such damage by default.

The practice of Russian courts, when phone fraudsters receive real sentences under criminal articles, also demonstrates that the use of social engineering methods is a criminal act. If such methods were used for malicious actions in the digital space, then they can safely be called cybercrime.

Therefore, although social engineering may not involve direct attacks on the system or the use of technical resources, it is still a form of cybercrime that requires punishment and more effective protection measures.

Summing up​

Social engineering can be treated differently, considered or not considered a cybercrime, but the main thing remains one - the use of psychological mechanisms by attackers to achieve their own goals and objectives. This is illegal manipulation, and it doesn't matter whether it results in money being transferred to a fraudster's card, company security data being transferred, or personal photos being leaked to the network. And it is necessary to fight social engineering not only at the legislative level, but also personally — through increasing the level of digital hygiene and awareness.