Social engineering: what is it and how to avoid these attacks?

Although the Nigerian prince is already known to everyone, there are many other social engineering attacks...

que es ingenieria social
Communication Team

Telefónica

Reading time: 3 min

What is social engineering?

Social engineering refers to the set of techniques that cybercriminals use to try to manipulate or trick users into sending them confidential data, providing them with private passwords, infecting their computers with malware, opening links to infected sites, buying from fraudulent websites or even sending money.

The most common communication channels for this type of cyber attack, often defined as the art of hacking human psychology to obtain unauthorized data, are text messages, e-mail, chat rooms or social networks.

Cybercriminals typically appeal to cognitive biases, emotions or misdirection to get the information.

Generally speaking, social engineering is based on different tactics: impersonation, authority to convince, intimidation to threaten victims, flattery to gain trust, or creating a perception of scarcity to create a sense of urgency.

Types of social engineering

The different types of social engineering have certain features in common: a deception to gain access to systems or information in an attempt to commit fraud or intrude into a network.

Let’s take a look at the most important characteristics of some types of social engineering:

  • Phishing. Fraudsters use a spoofed or real-looking e-mail address to request personal information, such as bank details or passwords. There is a subcategory called spear-phishing, which, unlike generic phishing, is information that the potential victim receives personalized.
  • Smishing. The term arises from the union of SMS and phishing, and in this case cybercriminals use text messages to try to get victims to share confidential information or download malicious programs.
  • Vishing. It shares with the two previous ones the objective of the attack, but the difference is in the form: in this case it is by means of telephone calls or voice messages.
  • Baiting. Fraudsters offer victims some valuable offer in an attempt to get confidential information or to get them to download malicious code. The famous Nigerian prince scam falls into this category.
  • Quid pro quo. Similar to the previous one, although in baiting the promised good is a good and here it is a service. Based on manipulation and abuse of trust, it is common for someone posing as technical support personnel to request data to fix an alleged computer problem.
  • Pretexting. After creating a false threat situation, the cybercriminal offers himself to the victim as the person who can solve it. It is similar to quid pro quo but, unlike quid pro quo, it is not an exchange-based scam and usually involves some urgency that forces the victim to act without thinking.
  • Bait. In this case, this is a physical device (such as a USB) left in a public place that contains malware and infects the systems of the victims’ devices that plug it in.
  • Shoulder surfing. The possible translation of shoulder surfing gives us an idea of what type of attack it is: someone observes the victim entering their password or PIN into a device or even an ATM.
  • Trough. In this type of attack, the cybercriminal compromises a website frequented by victims, at which point the attacker takes the opportunity to infect devices with malware or steal sensitive information.

How to avoid social engineering

When faced with attacks based on human psychology rather than technology, it is difficult to prevent them. However, there are some recommendations that can help to avoid them:

  • Skepticism. Applying caution to everything we receive can be a first barrier to avoid social engineering attacks. It is also important not to get carried away by curiosity, no matter how tempting the message received may seem.
  • Checking the source. If you do not know the source, you can search the Internet for the number of the call. If instead of a call we have received an e-mail with a link, we can (without clicking on it, just hovering the cursor over it) see if it redirects to a suspicious site. If we detect spelling mistakes in the message, it is another reason for caution.
  • Training. Having education and training as prevention to learn about possible attacks is also a help to mitigate risks. 
  • Cybersecurity updates. To decrease the chances that incoming attacks can be victorious, updating the security of devices by having up-to-date security patches is very important.

Communication

Contact our communication department or requests additional material.