Photo by Mikhail Nilov on Pexels
When we hear the term “cybersecurity”, the first thing that usually comes to mind is the security of devices and networks: antivirus, firewalls, data encryption…
The human factor is often forgotten or, at the very least, relegated to the background. However, there are studies that support that more than 90% of security incidents involve the human factor in one way or another.
Although this is something that organizations are increasingly aware of, the truth is that efforts are not enough, as we witness new security incidents every day. The vast majority are due to errors on the part of employees who have no malicious intent, with deception through social engineering acquiring special relevance.
Social engineering: an unknown concept
Although it is a concept that has not been generalized until relatively recently, its high frequency and impact should put it on our radar. Social engineering is nothing more than an attempt to manipulate people to get them to act in a certain way: click on a link, download a file, provide their credentials, make transfers… anything as long as the attacker can make a profit.
Although the case of phishing is the best known, we must not rule out others such as vishing or smishing, or even those that require face-to-face interaction with the victim.
In addition, it is important that we bear in mind that we can all become victims of an attack of these characteristics, whether in our personal lives or at work (and yes, this also includes those who do not work with sensitive information).
Anyone can receive an e-mail with a file intended to hijack files from the corporate network, a call asking for the person in charge of another department or come across an infected USB.
Photo by Christopher Lemercier on Unsplash
Some notable cases
The attack that Mapfre suffered in the summer of 2020 is a clear example of how the security of an entire organization can be compromised with just one e-mail. The company suffered an incident that began, according to the most probable hypothesis, with a phishing campaign. One of the employees fell victim to the scam, instantly compromising her credentials and allowing the attackers to gain access to systems in order to continue their plan. Finally, it was the execution of a ransomware that made the company aware of the incident, a file that was distributed after several frustrated attempts to extract information by other methods.
Zendal was also not safe from cybercriminals the year the pandemic began. Through various e-mails in which the identities of both the superior of the financial manager and the auditors with whom they were theoretically working were supplanted, they obtained an exorbitant sum of money, which is commonly known as CEO fraud. In this way, said worker did not suspect the various transfers that were being ordered until he realized the company’s lack of liquidity. However, by then they had already swindled 9 million euros.
The State Public Employment Service of Spain is another institution that has recently been hit by cyberattacks. In March 2021, the Ryuk ransomware was spreading across the organization’s workers’ devices, blocking much of the service and encrypting information. Although the details of what led to the success of this attack are unknown, several malicious files seem to have appeared in various folders on the share. Whether they got there by the direct hand of the cybercriminal or by an employee clicking where they shouldn’t, the truth is that the program would not have wreaked havoc if no one had executed it from within as a result of negligence.
Another case detected a few months ago is the sending of infected USBs to US companies. The devices are supposedly a gift from Amazon or the Department of Health and Human Services of that country, but nothing is further from the truth: in fact, they are sent by cybercriminals who seek to infect computers with ransomware in the time of their connection.
And, fresh from the oven, we find an attempt to impersonate WeTransfer, the famous file sending website. The criminals send e-mails with, supposedly, a court summons from a law firm for having infringed some trademark registration. Thus, inducing fear in the victim, they manage to make them download said summons through a fraudulent page that, although it resembles WeTransfer, what it intends to do is steal their access credentials.
It is also important that we keep in mind that these types of attacks are not only carried out in the organizational sphere. This is the case of the Microsoft scam, for example. It is an attack through a phone call (vishing) in which criminals pose as employees of said company. Under the pretext of helping us solve an incident on our computer, they ask us to download a remote-control application so that they can manage it directly. However, at the time we allow their access, we are compromising the security of all the information that we store within our device. This includes accounts to which we are logged in and other types of documents we may have.
How to put a solution?
Just as we install technological barriers on our devices and networks in order to reduce these threats, people must also build barriers and become human firewalls.
This goes through comprehensive awareness. We don’t just need to know how to properly manage our passwords or how to maintain our workplace. We also need to know the different attack vectors that we can find and how to detect them. As mentioned before, phishing is probably the most frequent, but we should not be left alone in this type of scam when it comes to raising awareness, as has been seen in the case of baiting in the United States or vishing in the case of the alleged call from Microsoft.
Just as machines present their vulnerabilities, humans also have them. This does not go unnoticed by cybercriminals and, therefore, they seek to exploit them to optimize the success of their attacks. Knowing what these vulnerabilities are and which ones predominate in us in particular will help us stay alert and detect possible deception attempts that could have serious consequences.