Por: Mirna Zárate.
Social engineering is a technique used by cybercriminals designed to attract unattended users, to steal their confidential data, infect their computers with malware or lead them to open infected sites.
Furthermore, hackers might try to take advantage of the lack of knowledge from a user, thanks to high technology speed, many consumers don’t realize the value of personal data and aren’t sure of how to protect their information.
Attacks of social engineering might imply a certain amount of psychological manipulation, tricking users or employees to deliver confidential data.
Commonly, it happens through email or other ways of communication that causes urgency, fear or similar emotions on the victim, what leads to quickly revealing of confidential information, clicking on a malicious link or opening a file. Since social engineering requires a human element, prevention of these attacks might be difficult for enterprises.
In certain cases, a social engineer doesn’t have to gain their customer’s trust in order to manipulate them, though he might obtain certain data by the information that is easily accessed to. It might be in a post-it in the desk, notes, cellphone messages or downloaded files or trash files.
In other words, a social engineer can obtain data without the need of making any kind of pressure in people. In those cases, we're not talking about a type of fraud, but taking advantage of other’s negligence.
Types of social engineering attacks:
Based on the person: Needs the interaction with another person to be able to collect the information needed. Some techniques are: a. Identity theft: This type of attack, the hacker pretends to be an employee or valid user in the system. it can have physical access pretending to be an employee, concierge or contractor. b. Being an outsider: In this attack, the hacker pretends to have authorized access from another person to use the system. It works when the authorized person isn't available for a long period of time. c. Searching in the trash: It means to look for all written or printed information in the trash. The hacker often finds passwords, name of files or other confidential information.
Social engineering in the computer: it uses certain software to try to recover information. a. Phishing: designing fake emails, chats or web sites pretending to be the real systems with the objective of having confidential data. For example, a message from the bank or other institution asking you to verify you access information in a "genuine" front page with the correct logos. b. On-line frauds: Emails are sent by the scammers with fake files that include a malicious code inside a file. These might include key recorders to capture passwords, viruses, trojans or worms. Sometimes, pop ups announce special offers that might tempt some users to download the malicious software unawaredly.
Building a human firewall
Having the threat of social engineering everywhere nowadays, it is extremely important that banks have systems and politics that help detect and prevent this type of fraud.
Since the human element is the weakest link in the security chain, all the enteprise’s education is vital to build a hardy defense.
It’s not enough for a work forcé to have policy directives, but rather needs education on how to recognize this type of fraud. “THey ought to become human firewalls”. And as any other TI firewall, this one must often be tested and updated with current information as new tendencies appear.
In Collaboration with, Sabrina Guerrero.
References
Kaspersky. (2018). Social Engineering - Definition. Junio 04,2019, de Kaspersky Sitio web: https://usa.kaspersky.com/resource-center/definitions/social-engineering
Lord,N. (Mayo 15,2019). Social Engineering Attacks: Common Techniques & How to Prevent an Attack. Junio 04,2019, de Digital Guardian Sitio web: https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Meinert,M. (Abril 29, 2016). Social Engineering: The Art of Human Hacking. Junio 04, 2019, de ABA BANKING JOURNAL Sitio web: https://bankingjournal.aba.com/2016/04/social-engineering-the-art-of-human-hacking/
Cyber security advice. (Marzo 28,2017). The Most Famous Cases of Social Engineering. Junio 04, 2019, de Open Data Security Sitio web: https://opendatasecurity.io/the-most-famous-cases-of-social-engineering/
Infosec. (Septiembre 23,2013). Social Engineering: A Hacking Story. Junio 04,2019, de INFOSEC Sitio web: https://resources.infosecinstitute.com/social-engineering-a-hacking-story/#gref
