What is the main objective of cybercriminals when attacking a company or user? To obtain confidential information that could jeopardize the reputation of an organization or individual, aiming to gain economic benefits in exchange for not making it public.
However, this is not the only outcome of their attacks. For companies, a cyberattack results not only in financial loss but also tarnishes their brand image and reputation, leading to a loss of trust from users.
Cybercriminals, to carry out these attacks, use techniques such as social engineering.
Social engineering is a manipulation technique designed by cybercriminals with the goal of deceiving users into taking specific actions that could expose their data, such as banking information, confidential documents or reports, passwords, etc., in order to steal them.
Social engineering is used to manipulate, influence, or blackmail users into performing specific actions or revealing confidential information. In this case, technical vulnerabilities or security breaches in computer systems are not exploited; instead, the goal is to manipulate users to gain access.
This practice is carried out to achieve various objectives:
Obtaining confidential information: The main goal of social engineering is to acquire confidential information, such as passwords, credit card numbers, and other valuable data. A commonly used technique to achieve this goal is identity theft.
Unauthorized access to third-party systems or networks: The objective is to persuade users to disclose passwords, gaining access to systems as if they were an authorized user—a way to decrease the likelihood of detection.
Propagation of malware: As mentioned, social engineering seeks to influence or manipulate users. Therefore, cybercriminals may use this technique to persuade a user to download a file or click on an infected link, executing malware in the IT infrastructure.
Economic objectives: Cybercriminals can employ social engineering for scams or financial fraud. They may convince users to perform illicit transfers or financial transactions.
Damage a corporation's reputation: Social engineering can also be used between companies in the same sector to harm the reputation of one of them.
However, social engineering is not only used for malicious purposes by cybercriminals but can also be an ally for cybersecurity.
In the field of cybersecurity, specialists use social engineering to assess an organization's susceptibility to cyber attacks, targeting both the human (employees) and technical (IT infrastructure) aspects.
Some uses of social engineering in cybersecurity:
To prevent and raise awareness: Employee training is the key to avoiding falling into the trap of cybercriminals using social engineering. Corporations and their staff must be aware of potential threats they are exposed to, enabling them to recognize and avoid them in a timely manner.
For the creation of security policies and procedures: Companies should establish robust security policies and procedures that include measures such as two-factor authentication, access permission reviews, and monitoring suspicious activities.
For penetration testing and risk assessment: Companies can conduct penetration testing and risk assessments to identify potential vulnerabilities in their systems and procedures, including assessing their vulnerability to a social engineering attack.
To enhance system security: Analyzing system vulnerabilities through social engineering provides a different perspective on corporate security. We often focus on the more technical vulnerabilities of the system, overlooking errors that employees might make, which could be a gateway for malware into a company. This approach helps implement new security measures more focused on the applications and programs that users use in their business activities.
Just like any other technology, as you can see, social engineering can be used for both illicit and legitimate purposes.
Social engineering is used to violate the right to privacy of individuals in personal, governmental, and corporate settings. Various means can be employed to persuade or manipulate a user:
Phone
SMS
Social media
Phishing is one of the most commonly used types of social engineering attacks by cybercriminals due to its high level of effectiveness.
These attacks are launched through email. Cybercriminals impersonate the identity of an organization, brand, or individual to persuade the recipient, for example, to download a file or click on a specific link. By doing so, malware is executed directly on the computer system, allowing the cybercriminal to gain access.
Spear Phishing, instead of launching a mass and random attack as done with phishing, targets specific companies and organizations to launch attacks and obtain specific information. Usually, this involves financial, military, or intellectual property data.
These attacks are also carried out through email.
Vishing is not very different from phishing; the only thing that changes is the medium or channel through which it is transmitted.
Vishing refers to frauds that are carried out through phone calls with the aim of obtaining personal data, especially banking information.
It involves creating a fake profile on social media. This profile typically impersonates the identity of a well-known brand or company and messages users to obtain their data, for example, under the pretext that they have won a giveaway. Another method they use is creating fake personal profiles to gain users' trust.
It involves creating a false scenario where the victim feels compelled to cooperate under false pretenses. For example, a scammer may pose as a police officer or an auditor from an organization to intimidate someone and force them to share confidential information.
Attackers using this technique entice users to provide confidential information in exchange for a gift.
We asked ChatGPT to draft a sample email with a persuasive message.
This type of cyber attack occurs when a cybercriminal infects websites regularly visited by their targets. The goal is to steal login credentials or gain access to the user's network by infecting the site.
For example:
In December 2012, cybercriminals carried out a watering hole attack. They exploited a zero-day security vulnerability in Microsoft's Internet Explorer 8.0.
In 2015, the French television network TV5Monde fell victim to a watering hole attack. Attackers exploited a vulnerability in a third-party web application to gain access to the network's systems. Once inside, hackers deleted data, hijacked accounts, and disrupted TV5Monde's programming for over 17 hours.
Cybercriminals infect a device, such as a USB, and when it is used on a specific computer, it collects data. This type of social engineering is not very popular nowadays, as the use of such devices has decreased with the advent of cloud technology.
Some recommendations to protect yourself from this type of threats:
Is someone asking for personal and confidential information via email or social media? Be cautious: Sharing information like credit card numbers, passwords, or any type of confidential data is not advisable if you want to preserve your privacy.
Verify the identity of the user contacting you: Do not share personal information without first verifying the identity of the person or corporation requesting it. It could be a case of identity theft.
Be careful about what you share on social media: Social media has become a showcase for a person: who they are, what they do, who they're with, what they like, etc. Cybercriminals gather this information to approach you legitimately and without raising suspicion.
Be alert to emails: Tempting subjects, unknown sender, someone asking for information that is usually requested by someone else, spelling mistakes in the message, letters replaced by characters... it could be a sign of a phishing attack. Before downloading any document or clicking on a link, make sure the message comes from reliable sources.
Use two-factor authentication (2FA): 2FA adds an extra layer of protection to your information, an additional step to ensure that it's you trying to access the account and not an unauthorized third party.
Conduct security awareness tests: Carry out simulated social engineering attacks in your organization to assess your employees' preparedness and enhance their training.
It's important to have a strong cybersecurity strategy and policies: Cybersecurity policies are a set of best practices that a company follows, outlining plans, procedures, and processes determining how an organization should protect all its information. Their main goal is to preserve the confidentiality and integrity of information, as well as ensure the continuity of a system for the development of business activities.
By taking these measures and precautions, we minimize the risk of falling victim to social engineering cyberattacks. However, education, awareness, and the implementation of other cybersecurity solutions, such as those offered by ESED, will be crucial for effective prevention.
If you have any questions or need more information about our solutions, feel free to contact us without any obligation.