What is social engineering and how to protect ourselves from attacks such as phishing?

The constant evolution of technology also means that cybercriminals have to look for new techniques to get what they want. One of the most effective methods is social engineering.

Social engineering is a method used by cybercriminals to psychologically manipulate users and obtain confidential information or unauthorized access. They manage to persuade and manipulate people through impersonation or other techniques that we will see below, such as phishing, vishing and smishing.

Social engineering attacks are characterized by direct communication between the attacker and the victim. They try to motivate and persuade the person to generate trust. To achieve this, they use cognitive biases, thus exploiting the vulnerabilities of our brain and deceiving it.

Appeal to emotions: The cybercriminal puts the victim in an exacerbated emotional situation to lead them to make poorly premeditated decisions. They use emotions such as fear, curiosity, guilt, sadness, etc.

Appeal to urgency: Setting a deadline is a way for the victim to feel the need to do what is urgently requested, which means that he/she has no margin for reflection and does things without thinking about it.

Appeal to trust: This is essential for social engineering attacks, the attacker has to gain the trust of the victim, for this they usually conduct research on the victim that will later help them gain their trust.

An example of this method are phone call scams that impersonate your phone company and give you all your data to confirm that it is you (ID, address, full name, even the card number).

Phishing: The most common attack that we are all familiar with. It involves deceiving the victim by pretending to be a trusted source. Most of them are usually in the form of e-mails, either posing as trusted entities, such as impersonating your bank or the Treasury to steal information and money.

If you want to learn more about how to detect phishing, you can take this test where practical cases and tips to avoid falling into the trap are presented.

Spear Phishing: It is a type of Phishing, but in this case it is focused on specific groups within organizations, the victims are usually people with high responsibilities within a company since it is more likely to have access to important assets.

Vishing: It is a type of phishing, but instead of being done by email, it is done by phone call. These attacks are booming, the cybercriminal impersonates your phone company, for example, falsifying the number so that it resembles reality as much as possible and thus gain the victim's trust little by little until he gives him the information he wants.

Smishing: Also a very common form, it is given in SMS format impersonating the identity of a legitimate source, such as the post office, bank, public institution, etc. They usually include a link for the victim to leave important personal data and gain access to them for the benefit of the cybercriminal.

Honey Trap: It is a scam that uses seduction as a means to deceive the victim. It occurs a lot in dating applications, the cybercriminal finds his victim, studies her in order to manipulate her and begins to establish a relationship with her to then get the information he wants or even large sums of money.

Baiting: This technique aims to infect you with malware. The scammer offers the victim something irresistible to get them to bite. The most commonly used method is given off-screen via a hardware device such as a USB, leaving it in plain sight waiting for the victim to fall into curiosity and pick it up voluntarily. It can also be given as an email attachment offering a free offer, or fraudulent freeware.

Quid Pro Quo: The cybercriminal offers the victim a benefit in exchange for information. It is based on the principle of reciprocity, so that the victim feels indebted and has to give something in return. They usually offer merchandising, discounts or services.

Among others.

• Be wary, yes, we know that it is not pleasant to be alert and suspicious all the time, but, nowadays, this type of attacks are usually the most exploited by cybercriminals so we must take precautions.
• Strengthen your email spam settings. You can implement a stricter configuration so that the email filters out malicious messages. You can create customized filters and also add your most recurrent contacts to favorites to verify that they are not being impersonated.
• Verify the source and the links. If you receive a suspicious e-mail, you should pay attention to the sender's e-mail address: is it an official address? Does it have any spelling mistakes? Does the link take me to the site it really says? Is it really the official web site?
• Strengthens the antivirus protection of your devices.
• If you are offered something too good, be wary. Cybercriminals often offer irresistible deals to lure people into the trap. Check first that what you are being offered is genuine.
• Learn about the different types of attacks to learn their formulas and how to detect them more easily.
• Avoid sharing personal data on the Internet. Cybercriminals can use them to gain your trust by pretending to be legitimate.
• Check if your data has been exposed due to online account vulnerabilities. You can check it on this website.

In short, knowing these types of attacks is crucial to stay safe on the Internet, sooner or later anyone can end up being a victim.

If you want to learn more about cybersecurity, follow us on Linkedin where we publish posts that will help you improve your IT security.