As mentioned above, not all cybercrime occurs through the use of malware, it can also occur through social engineering techniques. This alludes to the methods of deception used by criminals to get the users themselves to provide them with their access credentials (username and password) to bank accounts, emails, profiles on social networks and even WhatsApp.
According to the recent IBM report, 29% of cyberattacks in the region in 2021 arose from stolen credentials. And this is closely linked to phishing attacks which, according to the same report, experienced a significant increase in the region.
The two main factors that occur in phishing cases:
“It was found that phishing is presented as a stable infection route over time, with an average of around 10,000 daily detections”, stressed Sol Gonzáles, a cybersecurity specialist at Eset, when asked about this issue.
1. The hooks: fashion themes, gifts and investment promises. When orchestrating such a deception, cybercriminals seek to generate an attractive hook. Thus, they will send an email, message or even make a phone call (this type of technique is known as vishing) to their potential victims, telling them that they are from a supposedly recognized entity and that they are going to offer them a benefit.
They can say, for example, that they are representatives of any government agency and that they contact them to give them access to a social benefit; either they are from a bank Y that the person was selected to receive a credit, for example. In these times when there is a lot of talk about NFT and cryptocurrencies, many scammers use these topics as an excuse to carry out cyber scams, as warned from Eset; or even to make pyramid schemes.
2. Get the user to give their passwords. Once the cybercriminals have gained the attention and trust of the potential victim, they will ask for their access codes. Sometimes they can be ordered directly, but in others they use a little more elaborate gadgets. For hijack whatsapp account for example, they can tell the victim that they have been sent a promotional code by SMS and that they have to share it to obtain the supposed benefit. If the victim shares this information, they run the risk of losing access to their profile since the information requested is the validation code for the account.
In other cases, the user is sent, by means of an email or message, a link to a fake page that pretends to be a genuine site (such as a bank, company, social network, etc.) and you are asked to enter your username and password there to update information or finish a supposed process to obtain the promised benefit. That way the criminal gets this data.
Recommendations to protect yourself from cyber attacks:
1. It is important to be informed about how phishing campaigns work to avoid being victims of scams and identity theft.
2. Do not download attachments that arrive by mail or message with supposed benefits. Nor offer confidential data over the phone.
3. Avoid clicking on links that arrive through different communication services because it is possible that they are false pages where access credentials are requested that will later be used to access other user accounts.
4. Have strong passwords and do not use the same ones in all accounts. For this it may be useful to have a key manager.
5. Activate the second factor authentication on all accounts that allow it.
6. Avoid publishing sensitive data on social networks or photos that help cybercriminals deduce them.
7. Remember the security codes received via SMS or email should never be shared with anyone.
8. Keep the operating system up to date and have a security solution.