What is Social Engineering?
«Social Engineering consists of psychological manipulation techniques that are exercised on the attacked subject so that he or she makes decisions without questioning or thinking» (Ruth Sala, Criminal Lawyer. Computer Crimes).
By generating confidence in the victim on the part of the cyber-criminal, it is much easier and more effective to obtain access credentials to Information Systems.
The consequences of an attack using social engineering techniques, directed against an organization, are very devastating. And for the attacker, it means spending time to investigate in greater depth, not only the organization or company, but also the employees and collaborators who will be attacked.
With such an investigation, they will be able to discover the weakest link in the company that could give the attacker access to the Information System.
In order to deal with this type of attack, it is necessary to take a series of measures, mechanisms or processes. According to experts in the field, the most important thing in this type of case is the continuous training given to organizations, which will prove to be an effective tool a priori to avoid or reduce attacks of this nature.
Something very interesting, is that a study was developed, based on this objective, to determine if it is possible to fight against this type of psychological manipulation techniques, or on the contrary, the personnel should be considered as the permanent weak point in the Organization.
Doing this study meant going deeper into Social Engineering and analyzing it from the legal, psychological, business and cyber security points of view.
They also carried out a study of statistics on cyber-crime and the methods used in cyber-crime, to obtain a complete picture and at the same time know how these incidents were dealt with.
The large institutions such as EUROPOL, ENISA, CCN, CERT, INCIBE, the Attorney General’s Office, the Judiciary and the Ministry of the Interior, in their analysis of official statistics, have said that they do not have all the information, they are only aware of part of the computer incidents suffered by organizations and this is because CERTs are not reported or requested to help, nor are they communicated or shared.
The point of view of organizations is also important, with respect to cyber-attacks using Social Engineering techniques. To this end, two surveys were carried out based on two hypotheses, which would help clarify whether training and education in organizations is viable as a prevention measure.
One of the hypotheses is that employees over the age of 45 are more likely to be victims of deception through Social Engineering, due to a lack of habit in the use of technological means and a lack of training in a culture of cyber security, on the part of the organization in which they work.
The second hypothesis refers to the fact that training in cybersecurity reduces by 50% the attacks caused by Social Engineering techniques.
One of the surveys was directed to any company that had suffered such attacks and the other to a controlled group of companies or organizations that are dedicated to responding to cyber security incidents.
The objective was to try to find common elements to help develop crime prevention programs through Social Engineering.
From this study, it can be concluded that the surveys carried out on the companies dedicated to respond to cyber security incidents are the only reliable ones. The others confirm the black figure of victims by Social Engineering.
There is always something to be done, therefore, many experts have given their recommendations by proposing different preventive measures. I leave the link on this subject below.
Basically, Social Engineering is a technique of deception, so that the person being attacked delivers personal and confidential information to the attacker, and is based on using the user’s vulnerabilities and their little knowledge of the latest technologies, as this advances at great speed. Many users do not know the best way to protect their information.
According to Kaspersky, an expert in cyber security, almost all computer attacks have some type of social engineering.
What most experts agree on is that protection against social engineering begins with education, otherwise we will always be vulnerable to this type of attack.