Back
Logo  
march 2022
 

Social Engineering: Techniques and Prevention

Social engineering is a cyberattack technique that consists of exploiting people's natural tendency to trust, as well as with credibility and lack of awareness. The goal is usually to obtain sensitive data from companies or individuals.

Companies can invest in many different tools to protect themselves against cybercrime, but the weakest point of an IT security system is usually the human being. Social engineering experts are excellent psychologists, able to manipulate the victim and use intelligent arguments and formulations. Therefore, it is essential to be aware of the threats, importance and value of data.
Intro2
 
 

There are many techniques in social engineering. We highlight some of them here:
 
 

1. Phishing
Image17

The goal is to make the recipient of the email believe it's something they need or are waiting for. The email may include dangerous links or attachments containing antivirus software. Phishing types also include: spear phishing and whaling. Think before you click!
 
 

2. Pretext
Image18

This technique uses a pretext - a false justification for a specific action - to gain confidence and deceive the victim. For example, the attacker claims to work on IT support and requests the target's password to perform maintenance.
Proper processes, policies, and identification and authentication training must be in place to avoid these attacks.
 
 

3. Bait
Image19

The bait aims to attract the victim to perform a specific task, providing easy access to something that the victim may feel tempted to access. For example, a USB drive infected with a keylogger and identified as "Private Photos" left on the victim's desk.
Security policies, such as blocking unauthorized software and hardware, will prevent most attempts, and you may want to remind teams never to rely on unknown sources.
 
 

4. Quid pro Quo
Image20

"Something for something" in Latin, involves a request for information in exchange for compensation. This is the case of an attacker calling random phone numbers claiming to be from technical support. Occasionally, he finds a victim he happened to need. They offer "help", gaining access to the computer and being able to install malicious software.
 
 

5. Shoulder Surfing
Image21

This method involves stealing data (passwords or codes) by looking "over the shoulder" when the victim is using the laptop or other device (a smartphone or even an ATM). Awareness of the threat is particularly important for companies with employees in remote work, where they can use their work devices in public places.
 
 

6. Tailgating
Image22

This method involves physical entry into protected areas, such as the headquarters of a company. The attacker, can impersonate a collaborator and convince the victim, who is an employee authorized to enter at the same time, to open the datacenter door using the victim's RFID pass.
Access to non-public areas should be controlled by access policies and/or use of access control technologies, the more sensitive the area, the stricter the combination.
 
 

To prevent such attacks, there are several important aspects to consider:
 
 

Training employees in social engineering
Image23

One of the most important aspects of social engineering prevention is risk awareness. Therefore, it is essential to organise cybersecurity workshops for employees and pass on the importance of data.
 
 

Testing employee awareness
Image24

Occasionally, it's a good idea to put employees in a real attack simulation situation. Do they lock computers when they come out? Are there any important documents on your desks? Credentials written in post-its? What will they do if an unknown number calls and impersonates someone offering services the company is looking for? Answering these questions will help ensure that everyone on the team is aware of what they can and should not do. Do exercises with the management team and key employees on a regular day. Test controls and reverse engineer potential areas of vulnerability.
 
 

Enhance multi-factor authentication
Image25

Even a strong password isn't always enough. It is best not to rely on single-factor authentication for important data. In addition to passwords, multi-factor verification can include fingerprint scanning, authentication tokens, or SMS codes.
 
 
Currently, the best defence against social engineering attacks is the education of employees complemented with technological solutions to better detect and respond to attacks. By being fully aware of it, and taking basic precautions, you will be much less likely to become a victim of social engineering.
 

Archive

2024

 What is Keylogging?

 October, the Cybersecurity Month

 Can deepfakes influence election results?

 Real-life Case: Ministry of Education recovers 2.5 million euros paid out in computer fraud

 Zero Trust Model

 Real-life Case: Fraud in company due to remote hiring

 The future of passwords

 Generative Artificial Intelligence: Managing Security Risks

 Real-life Case: The City Council of Seville in Spain has suspended all telematic services due to a ransomware attack

 What is Spoofing?

 Authentication in Cyberattack Prevention

2023

 Cybersecurity trends for 2024

 10 Steps for Safe Online Shopping

 October, the Cybersecurity Month

 How to Protect the Privacy of Your Mobile Phone and Tablet

 Social Media, a risk to cybersecurity

 8 tips to protect your information in the Cloud

 10 tips for cybersecurity that parents should know to protect children from online risks

 Prevention starts with creating a password

 Cybersecurity and ChatGPT

 Backups | The Guardian of Data Loss

 Dangers and challenges of AI in cibersecurity. Are you prepared?

 Phishing, Smishing and Vishing | Best Practices

2022

 Online fraud attempts to be on the alert in 2023

 Online shopping security | What we recommend

 Cybersecurity Awareness | 8 habits to have at Home and at Work

 Cybersecurity & Cookies

 Cybersecurity on Holiday and Travel

 Cloud Security

 Ransomware Awareness

 Mobile Security

 Physical Security

 Social Engineering

 PII or Personally Identifiable Information

 Cybersecurity trends for 2022

2021

 Avoid IoT Disasters

 Cybersegurity Quiz

 SOUP-D Tips to protect yourself from cyberattacks

 Multi-Factor Authentication

 Deepfake

 Zero Trust

 Ransomware

 Dangers when using a VPN

 Identity Theft in the Cloud

 Mobile Malware

 Creating Passwords

 Internet of Things

2020

 Identity Theft and Internet Fraud Scams

 Secure Online Shopping

 Think before you click quiz

 Proper use of the Internet

 Spear Phishing

 Security of PC's and other devices

 Vishing

 Backups

 Communication/Video tools

 Cybersecurity when working remotely

 Formjacking

 Ransomware

 Phishing

2019

 Online Shopping

 Passwords

Subscribe our newsletter.


Cookie Consent X

Devoteam Cyber Trust S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.