Cyber threats are not something new, however, it is important to recognize them and become familiar with them in order to understand the logic behind each of them and be able to prevent them, and know how to denounce and act against them.

What is Social Engineering?

Social engineering is the use of non-technological methods to trick specific potential victims who have been previously screened into sharing sensitive personal information, such as passwords or bank account details, almost voluntarily with a hacker.

What are the types of social engineering threats?

  • Spear phishing: Through the personalization of emails, phishing messages or impersonating close contacts, recruiters, etc. Example: a hacker impersonating a bank's information and asking a person for private information to "unlock their account", or impersonating a recruiter to request identity information to process a fake offer.

  • Pretexting: Through a pretext or captivating story, hackers attract the attention of a targeted person and engage them to take a specific action, such as donating to a fake campaign or providing sensitive personal information. Example: emails promising money from a supposed inheritance, in which they seek to obtain bank account details.

  • Contact spamming: This consists of sending mass e-mails to a list of contacts from an account that has been hacked. These emails are sent from a known mailbox so as not to arouse suspicion, but the content of the emails will appear to recipients with shortened links or informal subject lines such as "Check this out". If the person clicks, malicious software will be installed that will continue the spam chain and may have negative consequences for their personal data.

How to recognize social engineering attacks?

  • Generic and flawed language: If the email comes from a safe and reliable source, the body should be written correctly according to spelling and grammar rules. Otherwise, it is likely to be an attack. Another linguistic element that can indicate an attack attempt is greetings and generic formulations. So, if an e-mail begins with "Dear recipient" or "Dear user," beware.

  • An unknown sender or with a suspicious ID: If an email comes from an address that is a combination of numbers and random characters or is unknown to the recipient, it should go directly to the spam folder. However, in some cases, hackers may also have a legitimate email address, so it is still important to review the other warning signs included in this section.

  • Sense of urgency: The criminals behind social engineering campaigns often try to scare victims into action by using anxiety-provoking phrases such as "send us your details immediately or your package will be discarded" or "if you don't update your profile now, we will close your account". Banks, parcel delivery companies, public institutions, and even internal departments usually communicate in a neutral and objective manner. Therefore, if the message attempts to pressure the recipient to act quickly, it is probably a malicious and potentially dangerous scam.

  • Request for personal and private information: Institutions and even other departments in your own company will not normally request confidential information by e-mail or telephone, unless the contact was initiated by the employee.

How to prevent these attacks?

  • Do not disclose personal information or confidential data (credentials, credit card numbers, bank account numbers, etc.) by phone, email, or instant messaging services.

  • Be careful when sharing information. Avoid exposing yourself on the Internet and social networks by publishing personal information (telephone number, address, habits, etc.). This data makes cybercriminals' work easier.

  • Verify at the attached files. Do not download them if you do not know their content, even if they come from a known contact.

  • Do not click on links or attachments in e-mail messages. You can verify them by leaving the pointer over the link without clicking on it, a dialog box will open containing the site to which you will be redirected and thus you will be able to verify the veracity.

  • Always install and keep an updated antivirus on all devices.

  • Common sense and caution are the best allies in the defense against social engineering.

NOTE: If you want to learn more about how to recognize digital security issues and threats, we invite you to take the free Digital Security short course:

Background illustration: Photo by Mati Mango from Pexels / Pexels license