Social engineering, or the art of deception, is a far cry from the general concept we have of the word "engineering." Engineering? Aren't they the people who design and build things like bridges, airplanes, or buildings?
The truth is that this term has its origin in the social sciences and refers to the efforts of change factors, such as the media, governments or private groups, whose sole purpose is to influence or shape using manipulation to achieve an objective, which in many cases is good, as in the case of awareness campaigns, or in many others with less honest purposes.
Therefore, we can see political parties, marketing and advertising experts or media outlets using social engineering in our daily lives.
What is the use of social engineering in cybersecurity?
Cybercriminals use this engineering technique to trick their victims into stealing personal data or any other type of personal information (such as credit card numbers). In this way, they take advantage of people's cognitive biases to achieve their goal, which in the case of cybersecurity is to obtain confidential data. A cognitive bias is a misunderstanding of the information that reaches us and that affects the way we process ideas, form opinions and make decisions.
In the following infographic created by TitleMax and translated by psychologist Cecilia Cores , we can see fifty cognitive biases to take into account to be the best version of yourself, but at the same time, these same biases are used by cybercriminals to try to deceive you and fulfill their purpose.
Examples of social engineering in cybersecurity
Psychological manipulation techniques are those used to carry out an attack on the victim, phone calls, instant messaging, social networks, email, etc. There are many and varied techniques, and as technology advances, cybercriminals improve these techniques in such a way that the victim often does not realize that they are being manipulated, in this way they can steal our identity and act in our name, but that is not all. Below we present some of the names of the most common engineering attacks.
1. Spam attack
Spam in our email is the oldest social engineering technique. Every day, when we open our email manager, instead of receiving an expected email we see a huge amount of unwanted emails, which at first are quite annoying and at best, make us waste time deleting them. But the truth is that the vast majority of these emails are intended to get us to perform an action on them, click on a link, download an attachment, etc. and in this way they can inject malware into us.
2. Phishing Attack
This is the simplest form of cyber attack, but also the most dangerous and effective. It imitates or impersonates the identity of a person or organization, making it easier for us to click on a link, among other things. There can be several types of these attacks and they can reach us via email, by phone (vishing), or via SMS text message (smishing). We must differentiate here between phishing and spear phishing: the former is not personalized (the criminals attack a large number of people randomly) and the latter are smaller attacks targeted individually (to a person or a small group of people, a specific company).
3. Pretexting Attack
This type of attack is possibly the most difficult to detect, as attackers pretend to be someone else, both on the Internet and social networks, and outside of them. Cybercriminals spy on and investigate the victim in order to create a story or pretext that is credible enough to fool them.
4. Quid pro quo attacks
Quid pro quo means "something for something." In the cybersecurity field, this is another type of engineering attack: attackers offer something (for example, discounts or gifts) to victims in exchange for certain information or sensitive data . It can be a discount, a gift, or a consideration. In addition, they often set a time limit for this "exchange," which creates a sense of urgency in the victim, making wrong decisions and giving in to what the attacker asks for in order to obtain their reward immediately.
Example case:
Juan is a manager at a company that has very strict IT security landline number format philippines policies to prevent attacks by cybercriminals. As an important person within the organization, he is very aware of cyberattacks and his level of protection is high, so it is a difficult objective to achieve if we go after him directly.
In this case, all of Juan's friends, family and coworkers are monitored, both online and offline, to identify who is who. Once these tasks have been completed, the cybercriminal will begin his strategy to reach Juan and deceive him.
Thanks to the data obtained in this phase of investigation, we have obtained some email addresses, personal telephone numbers and physical addresses.
We studied all these people and after a lot of data, we know that Juan has a weakness for comic book characters, a fact that very few people know, we have obtained it thanks to social engineering. At this point, with this information, our success rate is high.
One day, Juan receives a supposed email message from “Comikx Figures”, a company that sells figures of comic book characters.
What Juan doesn't know is that someone is impersonating this company and their intentions are not good at all. After a few days and having trusted these emails, Juan receives an offer that he can't pass up: the Darkseid #1 figure from 1970, an essential fetish for this type of collector.
Having gained his trust, Juan clicks on the link in the body of the email. From that moment on, he is in the hands of the cybercriminal. Whatever happens next is no longer in Juan's hands and could be catastrophic for the company he works for and even for his personal life. You can imagine the consequences.
How do we prevent social engineering attacks?
You may be surprised, but the best way to avoid attacks of this type is to use common sense.
In a world as fast-paced as today's, it's easy to open an email in a hurry, so in addition to configuring our manager well to avoid spam as much as we can, we should spend a few seconds before opening any email to try to make sure it's from a reliable source, so, yes, to protect ourselves, it's best to be distrustful.
Another measure that we can choose regardless of the operating system we use is an antivirus, this will help us identify malicious software among other things.
Raising awareness through training people inside and outside the workplace is one of the best ways to mitigate social engineering attacks. We recommend our Cybersecurity course where you can put into practice all the concepts we have talked about in this article.