Skip to content

Social Engineering: Tips for prevention

Social engineering is a cyberattack technique that consists of exploiting people’s natural tendency to trust, as well as with credibility and lack of awareness. The goal is usually to obtain sensitive data from companies or individuals.

Companies can invest in many different tools to protect themselves against cybercrime, but the weakest point of an IT security system is usually the human being. However, social engineering experts are excellent psychologists, able to manipulate the victim and use intelligent arguments and formulations. Therefore, it is essential to be aware of the threats, importance and value of data.

There are many tips for prevention in social engineering. We highlight some of them here:

1. Phishing

The goal is to make the recipient of the email believe it’s something they need or are waiting for. The email may include dangerous links or attachments containing antivirus software. Phishing types also include: spear phishing and whaling. Think before you click!

2. Pretext

This technique uses a pretext – a false justification for a specific action – to gain confidence and deceive the victim. For example, the attacker claims to work on IT support and requests the target’s password to perform maintenance.
Proper processes, policies, and identification and authentication training must be in place to avoid these attacks.

3. Bait

The bait aims to attract the victim to perform a specific task, providing easy access to something that the victim may feel tempted to access. For example, a USB drive infected with a keylogger and identified as “Private Photos” left on the victim’s desk.
Security policies, such as blocking unauthorized software and hardware, will prevent most attempts, and you may want to remind teams never to rely on unknown sources.

4. Quid pro Quo

“Something for something” in Latin, involves a request for information in exchange for compensation. This is the case of an attacker calling random phone numbers claiming to be from technical support. Occasionally, he finds a victim he happened to need. They offer “help”, gaining access to the computer and being able to install malicious software.

5. Shoulder Surfing

This method involves stealing data (passwords or codes) by looking “over the shoulder” when the victim is using the laptop or other device (a smartphone or even an ATM). Awareness of the threat is particularly important for companies with employees in remote work, where they can use their work devices in public places

6. Tailgating

This method involves physical entry into protected areas, such as the headquarters of a company. The attacker, can impersonate a collaborator and convince the victim, who is an employee authorized to enter at the same time, to open the datacenter door using the victim’s RFID pass.
Access to non-public areas should be controlled by access policies and/or use of access control technologies, the more sensitive the area, the stricter the combination.