Table 2.

Social engineering hacks.

Social engineering in the cyber-domain	Social engineering targeting the bioscience fields
Pretexts are some of the quickest ways of getting past a company's switchboard and winning its people's trust. • E.g., via a fake email from a purported colleague who offers ‘help’ with resetting your password, or the security department of your bank alerting you about suspicious activities in your account. • Pretexting is the basis of social security attacks - in this context “the intentional manipulation of people into performing certain actions and divulging confidential information” [72].	On the pretext of helping to safeguard cyberbiosecurity challenges, attackers could • Offer a solution to the new cyberbio challenges - which are mainly un-assessed and for which no adequate official solutions exist. • Masquerade it as an officially-looking tool and written in a language that is comprehensible to those interested in applying it. • Secretly introduce harmful computer code that could enable theft of sensitive information or access to critical CPS based infrastructure components.
Many devastating IT hacks are based on mere deception [62], e.g. • Fake websites and phishing scams are trying to lure their victims into buying high-demand products such as masks, hand sanitizers or vitamins. • They may be riddled behind the scenes with malware, (computer) viruses, and ransomware.	The entire life-science field is particularly vulnerable to such psychological hacks promoting fake products: • There is a great demand for products and services such as research and bioinformatics tools or various model systems. • Phishing scams may appear to come from official organizations such as the CDC (Centers for Disease Control) or the WHO (World Health Organization); fake webites may masquerade as authentic R&D data providers including preprint servers; newly developed websites registered with catch-phrases such as ‘corona’ may be legitimate sources of information. • All these may have been maliciously designed to carry out spam campaigns, phishing, or to spread harmful software.
Fake internal contacts (mostly by email): • Fake HR or IT contacts are often used to steal usernames and passwords. • The impersonation of HR or IT departments often allows attackers to gain access to sensitive data and information.	If attackers canimpersonate HR or IT departments, this could allow them to • Steal secret R&D data and information. • Enter the target system to upload malicious cyber programs that could be used to sabotage the physical processes underlying biotechnological systems (Section 2). • Use stolen credentials to impersonate another user in that network to enable the corruption of environmentally or health-related processes, sensors, or data.
Cyberattacks are not always 100% committed online. Social engineering schemes can allow attackers to hack into large businesses or organizations (exemplified here via the July 2020 Twitter attack [72]). • The hacker was able to take control of a cell phone number by convincing a carrier to assign a number to a new phone. • The attacker hacked into Twitter accounts of famous people and organizations. For some of the hacked accounts, the attacker could initiate a password reset, login to the account, and send Tweets [72]. • The attacker was able to view personal information including email addresses and phone numbers, which are displayed to some users of Twitter's internal support tools [72].	Businesses and CPS networks throughout the bioscience fields are susceptible to analogous attacks via fake phone or email contacts, e.g. • Attackers could mislead certain employees and exploit human vulnerabilities to hack into the accounts of some employees. • By using the credentials of only a few hacked employees, attackers may be able to access the internal computer system. • This knowledge may enable them to target additional employees with access to system management tools. • These credentials can give them access to internal network tools and enable them to sabotage cyber-based controls of CPS (Fig. 3, Fig. 4).