The risk of Social Engineering
When we talk about cybercrime, the vision of the vast majority of users revolves around complex malicious code tailored to attack a particular organization. But in reality, cybercrime doesn’t always operate this way. The main reason is that these types of attacks require a high investment in time and resources.
Most cyberattacks focus on targeting the largest number of victims, with the least investment possible. To achieve this, one of the techniques preferred by cybercriminals is social engineering.
We are currently witnessing an alarming increase in the sophistication of attacks, particularly supported by the digital exposure of people on personal or professional social networks.
Definition of Social Engineering
Within the context of cybersecurity, the National Institute of Cybersecurity defines social engineering as “psychological manipulation techniques with the aim of getting users to reveal confidential information or carry out any type of action that may benefit the cybercriminal”.
Another possible definition of social engineering could be people hacking.
Among the avenues that attackers use on a regular basis, we find phishing (identity theft in email), vishing (impersonation by phone call) or smishing (fraud via SMS), among others.
Today, efforts are increasing in raising awareness of some companies about phishingattacks . However, many people are still victims of this type of fraud , so it is worth wondering what the cause is. There is no doubt that attacks are becoming increasingly sophisticated in terms of content, format, wording, etc., but this is not the only reason.
One of the keys lies in the messages and feelings to which they appeal, since they try to lower the receiver’s guard to prevent their legitimacy from being questioned.
As each person is susceptible to different stimuli or messages, it is essential to know what type of attack they are most vulnerable to and train and educate users based on this information.
Attackers exploit people’s ” vulnerabilities “. These vulnerabilities are related to how each one of us is (what motivates us) and our current state of alert (how much we trust ourselves) at the time of the attack.
Attackers exploit people’s ” vulnerabilities “.
How to protect social engineering ?
To protect against this type of attack, it is necessary to know and understand these vulnerabilities and the attackers’ modus operandi, as is traditionally done in the management of technological vulnerabilities (server hardening).
There are techniques that use different messages with which they can attack us with Social Engineering, such as the following three types that are based on:
Like those that urge the receiver to respond quickly so that their accounts are not canceled.
Those who offer money or another type of profit for taking a certain action.
Those who promise something novel or attractive so that the victim acts as the attackers want.
Each of these messages triggers a series of mechanisms that take place inside the person who receives them.
In the first place, they generate certain expectations about what will happen if they act (or not) according to the request made. Faced with this consequence , different emotions are activated depending on whether it is positive or negative (anxiety or impatience, for example).
Finally, the behavioral factor takes place . This is the most interesting for attackers, as it is through which they will achieve their objective. And, in fact, they will succeed if the previous emotion is strong enough to cloud the victim’s conscience so that they do not come to consider that they may be facing a deception attempt. She will act accordingly to avoid this negative consequence or to achieve the announced profit.