“Honey, I’m at the notary and my debit card is not working, can you transfer money?” Always be careful when you get this message. It might not be your partner, but a cybercriminal. For example, dozens of people recently lost millions of euros through phishing fraud at the online bank Bunq. In what ways can you become a victim of social engineering? And how can you resist it? In this column, we put these – and other – questions to expert Patrick Jordens. He is the director of Trusted Third Party (TT3P): a Dutch company specializing in cybersecurity. TT3P helps companies better protect themselves against, among other things, hackers taking company systems hostage or unlawfully obtaining data.
Patrick Jordens
Patrick Jordens (b. 1969) is an entrepreneur with a heart for digital security. He is the director of Trusted Third Party and founder of DMCC Group, which helps organizations comply with all external laws and regulations, and internal policies in the field of privacy and consumer law. He is also a guest lecturer in marketing, data privacy, and ethics at the Hogeschool van Rotterdam.
What exactly does social engineering entail?
“Social engineering is all about manipulating individuals to achieve something. A cybercriminal tries to gain their victim’s trust and convince them to disclose confidential information. They often pretend to be someone else. Consider, for example, a chat conversation on Linkedin, or an email from a ‘colleague.'”
What role does AI play in this?
“With the advent of ChatGPT, as well as with AI voice generators, it is becoming increasingly easy for criminals to impersonate someone else. A 15-year-old boy can use ChatGPT to compose a credible e-mail more easily than ever. And the same goes for criminals from Russia or China. By the way, ChatGPT won’t just write a phishing email for you. But if you say you’re a cybersecurity trainer who wants to discuss a phishing email, you’ll still get it done. The technology to mimic voices with AI is also well-advanced. You can get a call from your ‘mother’ asking for money and then it just seems real.”
So phishing emails are a form of social engineering?
“They are related concepts. Social engineering is used in phishing emails. Criminals send mass emails out the door and cause you to stress, for example, by saying your computer security is out of date, only to have you click on a link. The vast majority of cyber attacks start with phishing. These kinds of emails are getting better and better, by the way. Sometimes I have to look three times myself before I know if I’m dealing with phishing.
As soon as someone clicks on a wrong link in the mail, the hacker gains access. He often does not make himself known immediately and first quietly starts looking around in the system of an individual or company. Then again, plenty of social engineering takes place. He seeks contact with employees trying to find out which colleagues are in contact with each other, and whether he can, for example, send an e-mail in the name of the director to the finance department. If you’re unlucky, the criminal carries out a ransom attack. Then your whole system is down.”
Some statistics
The number of phishing attempts on companies has increased tenfold in just one year, according to research by KPN. Where previously 4% of Dutch companies were victims of phishing, it is now 24%. Almost half of the business owners admit they are not well prepared for cyber-attacks and phishing.
Do you have any tips so people can better resist social engineering?
“Above all, it is very important to be thoughtful and not just transfer money or exchange data. Regarding phishing emails, there are a number of things to watch out for. For example, always look carefully at the sender’s e-mail address. Maybe there is a “typo” in the name. Sometimes there are other details that give it away. If cybercriminals were to write an email on my behalf, they would look on my LinkedIn for the job title listed: ‘founder.’ Then you get an email with “Yours sincerely, Patrick Jordens, founder of TT3P,” even though that job title is unusual for email correspondence.
I can’t stress it enough: companies need to invest in cyber security. Not only by securing their systems but also through staff training. That way, employees learn what phishing emails look like and what new techniques are on the market.”