The risk of Social Engineering
When we talk about cybercrime, the vision of the vast majority of users revolves around complex malicious code tailored to attack a particular organization. But in reality, cybercrime doesn’t always operate this way. The main reason is that these types of attacks require a high investment in time and resources.
Most cyberattacks focus on targeting the largest number of victims with the least investment possible. To achieve this, one of the techniques preferred by cybercriminals is social engineering.
We are currently witnessing an alarming increase in the sophistication of attacks, particularly supported by the digital exposure of people on personal or professional social networks.
Definition of Social Engineering
Within the context of cybersecurity, the National Institute of Cybersecurity defines social engineering as “psychological manipulation techniques with the aim of getting users to reveal confidential information or carry out any type of action that may benefit the cybercriminal” .
Another possible definition of social engineering could be “people hacking”.
The problem
This type of attack has a great impact, since employees are the ones who have access to internal information, so social engineering attacks not only lead to direct losses associated with their commission, but can also lead to great reputational damage and loss of intellectual property in many cases.
For this reason, the effort to raise awareness of phishing attacks is increasing today. However, many people continue to be victims of this type of fraud. In the 2020 Ponemon Institute report, 69% of the companies surveyed in the United States claimed to have suffered at least one spear phishing attack in the previous year, as did 58% of the EMEA participants.
Given the frequency and impact of these types of incidents, one wonders what the cause is. There is no doubt that attacks are becoming more and more sophisticated in terms of formatting, writing, etc., but this is not the only reason. One of the keys lies in the messages and feelings to which they appeal, since they try to lower the receiver’s guard to prevent them from questioning the legitimacy of the message received.
To do this, cybercriminals have a powerful arsenal made up of different social engineering techniques that are aimed at exploiting people’s vulnerabilities. These vulnerabilities are related to how each one of us is, what our motivations are and what our current state of alert is (how relaxed we are) at the time of the attack.
Current technological solutions, focused on protecting computer systems, can do little to mitigate these types of risks.
Among the techniques that attackers use on a regular basis, we find phishing (via email), vishing (via phone call) or smishing (via SMS), among others.
Attackers exploit people’s “vulnerabilities”.
How to protect ourselves from social engineering ?
To protect against this type of attack, it is necessary to know and understand these vulnerabilities and the attackers’ modus operandi, as is traditionally done in the management of technological vulnerabilities (server hardening).
There are techniques that use different messages with which they can carry out a social engineering attack, such as:
Based on fear
They seek to threaten the victim, for example, with the cancellation of a service in case of not carrying out the steps specified in the email.
Based on authority
The victim is intended to act as requested by appealing to a sense of duty, as occurs with CEO fraud.
Based on curiosity
They try to arouse the interest of the victim through eye-catching titles and messages.
Each of these messages triggers a series of mechanisms that take place inside the person who receives them. In the first place, they generate certain expectations about what will happen if the potential victim acts (or not) according to what is requested. In this way, different emotions are activated depending on whether the expected consequence is positive or negative (anxiety or impatience, for example).
All this leads to the performance of a series of behaviors. The determining factor in whether the victim acts in accordance with the attacker’s objective is that the previous emotion is strong enough to cloud their conscience, so that they do not come to consider that they may be facing a deception attempt.