If you have a cell phone in your hands, profiles on social networks, or use emails for work and personal life, someone has probably tried to scam you using social engineering.
After all, this type of crime was the most common in 2022 according to a report by LookingGlass Cyber and ISACA (Information Systems Audit and Control Association).
In order to make the concept of social engineering clearer, we can think of an example. Imagine that you are looking for an item to buy on the internet. Most of the options you find cost R$ 100.00. However, there is an incredible 50% off sale opportunity.
At the same time, you open a website that requests some personal information such as your full name, social security number, and cell phone number for registration.
So, you fill it out, and soon after you are directed to a purchase page with the promised discount. You are in doubt about the purchase, and decide to open a chat with the customer service to ask some questions.
Soon after, an attendant answers you and clarifies all the points. Finally, you can pay through PIX to guarantee the discount and now just wait for your purchase to arrive at your home.
Congratulations, you've just suffered a social engineering scam!
Of course, not all purchases you make on the internet will be scams like this one. But this type of attack by cybercriminals is becoming more and more common and therefore it is necessary to pay attention to some points.
Continue reading this article to better understand social engineering and its connection to cybersecurity.
What is Social Engineering?
When we talk about social engineering we are talking about people manipulation schemes on the one hand.
On the other hand, cybercriminals use techniques to manipulate people into sharing their sensitive information and even sending them money.
In this way, those who suffer from the scams usually end up losing their security. In fact, in a Verizon report, the DBIR 2022, it was proven that 82% of data breaches actually involved a human element.
This happens because cybercriminals are skilled, as they understand human nature. It is very common, for example, for people to transfer money to third parties with the promise of earning money without any effort.
Also, social engineering considers people's fear. A widely practiced type of scam is when cybercriminals send messages, emails, and even call the victims. They impersonate authorities such as the Police, as well as other government bodies such as Serasa in Brazil.
In fact, people are afraid of ending up in prison or having bad credit. Therefore, they end up falling for scams and sharing their personal information.
These social engineering scams happen in different ways and have technical terms that will be specified now in this article.
8 types of methods used by cybercriminals
Phishing
A phishing attack is extremely common, and consists of manipulating people into sending their confidential information to cybercriminals.
In fact, according to an IBM report released in 2021 (Cost of Data Breach 2021), you can see that phishing is the most common method of data breach attacks.
In addition to sharing information, scams also involve downloading software that invades victims' devices.
In addition to these, another form of phishing that happens constantly is the manipulation of people to transfer money to scammers.
Mass-market emails
In this type of scam, cybercriminals send mass messages impersonating large organizations or companies. They are usually companies known by the vast majority of the population or banks.
In this fake email, there is a request to update your credit card details, for example. When people send this data, scammers save the numbers to make purchases.
Spear phishing
In this case, phishing is individual and cybercriminals do real research on the victim. This investigation is done through social networks most of the time, which is a source of a lot of personal information about people.
With this more specific knowledge of the victim's routine and day-to-day life, scammers are able to create messages that are familiar to the person under attack.
Search engine phishing
It's possible that you know someone who transferred money to another person to confirm payment, and never received the product.
This is search engine phishing, where cybercriminals create fake websites that are extremely similar to the store's original website. Sometimes, if you pay attention to the URL in the address bar, you will notice some changes, such as a period, or another detail. It is only in this way, observing details, that people manage to escape this type of attack.
Baiting
"Baiting" is a technique used by cybercriminals to steal personal and financial information. To attract victims, they create a fictitious and tempting scenario, usually with some reward. What makes the technique effective is the victim's greed or need, which makes them vulnerable to falling for the scam.
A common example is the sending of fake emails that pretend to be legitimate messages from trusted companies, such as banks or online stores. By clicking on a link or downloading an attachment, the victim may install malware on their computer or be redirected to a fake page that requests confidential information.
Quid pro Quo
In addition to the scams mentioned above, there are also cases where cybercriminals offer prizes or rewards to victims. To receive these gifts, the victim needs to share confidential information.
Scareware
Likewise, we have scareware, which is a type of social engineering scam that uses fear as the basis for attacks. Messages accusing the victim of some crime or cell phone problems, for example, are extremely common.
In order to avoid negative consequences, you always need to ask yourself if you should click on a link that was sent via SMS, WhatsApp, email, or other social networks.
When in doubt, contacting the official bodies that are supposedly talking to you helps to avoid this type of attack.
How to identify a social engineering attack
Lastly, it is important to understand how to identify and especially prevent attacks based on social engineering.
In general, some signs should be observed, such as the language of the message you receive. Fake emails and messages, for example, tend to be quite generic, with greetings such as “dear customer”, or “dear recipient”.
Likewise, it is important to pay attention to who the sender of a given message is. In case of a sender with many numbers and letters, make sure to direct the sender directly to the spam folder.
Finally, another characteristic point of scams via message is the urgency that is placed on the request. Through this artifice, cybercriminals scare their victims and manipulate them to act in a certain way.
3 tricks to prevent cybercriminals
Como você percebeu durante este artigo, os cibercriminosos utilizam de estratégias de engenharia social para manipular pessoas a realizar determinadas ações.
Nesse sentido, é importante que você consiga se prevenir através de ações simples mas eficazes.
1. Cybersecurity
One of the most important points to prevent attacks is to have a good cybersecurity structure. And in addition to the structure, also have regular employee training from the base to the top of the company's hierarchy. That way everyone knows how to use the systems if necessary.
2. Safer Passwords
If you have the same password (which includes your name letters and your date of birth) for different social networks and websites, a suggestion is to migrate to more complex passwords.
3. Technical solutions for scam detection
Having a clear procedure for what needs to be done to ensure security in a company is necessary.
In this way, by following the steps, employees are more protected in companies, and people, in general, avoid problems in their daily lives.
Are you interested in learning more about cybersecurity and ways to fight social engineering scams? Keep reading our posts and get in touch with your questions.