Think wrong and be right.
In the field of cybersecurity, one of the most widely used phrases, especially when it is intended to raise awareness among the cybercrime, is the following: “In safety, the user is always the weakest link.” This reality is demonstrated by the fact that social engineering attacks, which take advantage of our weaknesses, are so successful. Why break the armored door when you can trick someone into giving us the key? In this article we will see ways that attackers use to take advantage of this great vulnerability, the human being.
What is social engineering?
A large number of attacks fall within the category of social engineering, but what do we mean when we talk about it? Social engineering is the set of practices through the manipulation of users, allow a specific objective to be met. Usually the attacker intends to trick the user with one of the following purposes:
• Obtain confidential information.
• Perform a fraud.
• Obtain illegitimate access to the victim’s equipment.
The attacks of social engineering are very present in our day to day due to how easy it is to carry them out, the high probability that someone falls into the trap or the possible reward that can be obtained.
Although using the term social engineering began in the 1980s, scams and deceptions have occured throughout history, always based on the following principles:
• People want to help.
• People do not like to say no.
• We trust those who speak to us in a friendly manner.
Traditional scams like the “the stamp,” which pretended to be legal newspaper clippings, or the “tocomocho,” which deceived the victim into thinking they were buying winning lottery tickets that were actually counterfeit are some of the examples.
With the appearance of new technologies, cheating also evolved, as is the case of the “Nigerian scam.” In this type of scam, a user received an email, usually in the name of a millionaire, distant relative or a wealthy Nigerian Prince, in which a large inheritance was offered. To access it, you must previously contribute a small amount in taxes or fees. Once the amount was paid, the scammer disappeared with the money.
However, today much more sophisticated techniques are used to cause the person to fall into the trap. Here are the most interesting ones.
Known by all, phishing is undoubtedly the most popular form of cyber-crime. In this attack, the scammer pretends to be a trustworthy company or person who, through an “official” communication (usually an email) asks the user for specific personal information. Normally these emails have a fraudulent link that replicates the organization’s website. Once the victim enters the data in the form, the attack has paid off. The Nigerian Prince that nobody knew is gone and who forced you to distrust. Phishing attacks now impersonate emails and websites of trusted entities very accurately.
Imagine that you find a USB drive on the street. These small devices have become a tool that everyone uses every day, so picking up a device from the ground can be a small savings. However, a new type of social engineering attack in which the scammer leaves several memory sticks in a visible area with the aim of potential victims to introduce them to their personal devices is now becoming popular. These memories, once activated on these devices, attack the user’s computer either by running some malware or by stealing their stored passwords.
Similar to phishing with emails, the attacker tries to trick users into scanning a QR code with their mobile phones. An example would be to create an advertising poster that imitates a company (logo, corporate colors, etc.) to participate through a QR code in the drawing of a trip for employees. Once the victim accesses the malicious link, they find a fraudulent form, or a message that asks to download a mobile application to participate in the raffle, among other examples. In any case, all data that the user enters will remain in the hands of the attackers.
Our smartphone has become an extension of our body, so the biggest fear is to run out of battery in the middle of the day. Luckily, charging points are starting to appear in various public places (metro stations, buses, restaurants) to connect our device and end the dreaded red battery zone. However, there is the possibility of an attacker hiding a device that exchanges data with our mobile, stealing the data that we have stored.
Fraudulent or vishing calls
This is one of the simplest mechanisms of fraud. The attacker calls the victim by posing as someone from the technical service of the company or bank, and tells them that there has been a serious error in the system and their credentials are needed to solve it. This method is surprisingly effective, especially considering its simplicity, as we mentioned before, the human being always offers help in complex situations.
How do I protect myself?
Even though we are the weakest link, we are not helpless. The best weapon against fraud is skepticism. Whenever something seems suspicious, it is better to be suspicious, whether it is an unexpected email requesting personal data, a web page with a different address than usual, etc. It is important to pay attention to any signal that sounds our alarm and avoid sending our personal data. Above all, to distrust that distant relative who writes an email offering a large sum of money upon payment of the fees. I’m sure it doesn’t exist.