* By Antônio Silva
Social engineering is a non-technical strategy used by cyber attackers that relies heavily on human interaction. It's often about tricking people into breaking security best practices.
The success of social engineering techniques depends on attackers' ability to manipulate victims into taking certain actions or providing sensitive information. Today, social engineering is recognized as one of the biggest security threats facing organizations.
social engineering differs from hacking traditional in the sense that attacks are typically non-technical and do not necessarily involve the compromise or exploitation of software or systems. When successful, many social engineering attacks allow attackers to gain authorized and legitimate access to sensitive information.
The most used forms of attack are:
- Phishing – It can take several forms and is aimed at obtaining information or private information. It seeks to trick the user into entering personal information on a legitimate-looking website, which forwards the information to the attacker. Typically, the victim receives an email that appears to be from a real company, such as a bank or well-known store, asking users to register or access their existing registration. When this happens, your login details are stolen.
- Spear Phishing – It is a highly targeted type of attack from phishing, which focuses on a specific individual or organization. the attacks of spear phishing use recipient-specific personal information, such as their name or title, to gain trust and appear more legitimate. This information is often taken from victims' social media accounts or other online activities. By customizing your tactics phishing, you spears phishers have higher success rates for tricking victims into granting access or disclosing sensitive information, such as financial data or trade secrets.
- vishing – It is the term used to describe a type of phishing, which combines emails or text messages (SMS) and VoIP. It works similarly to phishing. Its purpose is to persuade the victim to provide credit card numbers or other information that could be used for identity theft. Typically, a customer receives an email or SMS, apparently sent by their credit card company, with a notice of account suspension or deactivation. The victim is then asked to authorize the activation of the card by calling a toll-free number. The number directs the call to an automated answering system that very convincingly asks for credit card details to be confirmed. To avoid falling into vishing scams, users should take some precautions, such as contacting only the phone number provided on the back of the card or on the institution's website.
- Baiting – in English means “bait”. Here, an attacker wants to lure his victim into executing an executable code, usually piquing their curiosity or convincing them to trigger hardware or software with malware, for example, seemingly innocent USB sticks distributed in an event booth may contain malware.
- pretexting – via phone or email are very similar and occur when an attacker fabricates false circumstances to force the victim to provide access to sensitive data or protected systems. An example of a pretexting attack might be a fraudster who pretends to need financial data to confirm the recipient's identity or pretends to be a member of a trusted entity, such as the company's IT department, to trick the victim into providing login data or grant access to a computer. Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on creating a false sense of trust with the victim. This requires the attacker to create a credible story that leaves little room for doubt on the part of the target.
- Tailgaiting – It is a physical social engineering technique, which occurs when unauthorized people follow authorized individuals into a safe place. The purpose of unauthorized use is to obtain valuable property or confidential information. Unauthorized use can occur when someone notices you entering a password, asks you to leave an application open because you forgot your access card, or borrows your phone or laptop to complete a simple task, and instead installs malware or steals your data.
The human being is the weakest link in the chain of safety. A company may have the best technology to offset the risk of a malicious attack, but any organization that doesn't train its staff or follow best practices is at even greater risk.
Basically, we are all possible targets for fraud and we must be prepared to know what is to come.
- Antônio Silva is GRC and Information Security Consultant at Safeway
SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, who constitute, in large part, the 100 largest companies in Brazil. Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, processes and people solutions.