The ABC of social-engineering: Cyber field makes no exception, as "all warfare is based on deception."

Since the world stayed home, forced by the coronavirus crisis, there has been much more discussion about social engineering in the field of computer use. This article is intended to be a pragmatic view of what an user without technical studies has to know, and how to deal with it. It was not written for IT professionals who usually recognize the main language of social engineering and basically know to protect themselves, neither for companies. For them, there are security toolkits / trainings / awareness sessions created by specialists.

The article underlines that the concept of social engineering is much about Persuasion and Trust, as it refers to the psychological manipulation of people to carry out activities that, following the good practice of information security, they should not.

IT IS NOT QUITE A BLAME...

If one tend to feel ignorant, perhaps should bear in mind that it is believed that Stuxnet was introduced via a USB memory flash. The malicious computer worm reportedly contributed to substantial delays in Iran's nuclear program. How does that feel? Now, let's start chatting about our personal computers.

FIRSTLY: Scientifically speaking, people are not aware of 95% of their feelings. This unconscious intention causes us to position ourselves in inferiority (or shyness) and sometimes to bear the consequences of others' choices. Social-engineering exploits Trust, and that is why an entire discussion can be held. It is a sensitive threshold that must be crossed when you start blaming someone for responding to a person who has been personified in a familiar figure.

SECONDLY: The coronavirus crisis amplifies the natural need to have someone around, especially if you're experiencing the lockdown on your own. More than ever, you can easily become the perfect candidate for cyber attackers, because you are so willing to talk - especially when all your friends, just like you, are facing endless problems in various fields and they are not in the mood. Or when you are facing financial difficulties and suddenly you are informed to be the lucky winner of a prize, just for a little information in return. So far, nothing to blame yourself for, if you remember to PAY ATTENTION to things like TOO GOOD TO BE TRUE!

THIRDLY: Social-engineering responds to one's needs. It aims to exploit the weakest link in a security structure - people -, to gain access to confidential data. Sentiment analysis, which is the strongest tool in social-engineering, is nothing more than an effective kind of listening and another form of attention to one's needs, ...and was not invented by today's online marketing industry. Clothes and other niche-approved products have always been widely produced. The title of our article includes a principle from Sun Tzu's ancient military writing, "The Art of War" - from ancient times humans used manipulation, except they probably hadn't called it so. Funny, isn't it? Known as the "Art of Deception", social engineering uses multiple techniques to "sell" a virtual world to people and launch a real attack to targets. Its main purpose is to establish and maintain contact with individuals - home users or employees - to compromise the security arsenal, causing losses of various kinds. For this reason, social-engineering is a concept strongly studied by the information security industry.

NOR A VIRTUE TO BE A TARGET

A cyber attack using the same social-engineering technique could equally target personal devices, or state infrastructures. Social engineering can use various modes of interaction: physical malicious devices, social media, e-mails, phone calls, and more. Despite the fact that social-engineering is commonly used for negative purposes, we can be trained to see it as a tool for detecting defects. In this way, human errors can be found, and so the appropriate ways to correct them.

IT'S A DUTY TO KNOW THE BASIC

How can I be targetted? In different and creative ways, constantly evolving. Knowing as much as possible about how social-engineering works is a manner of prevention. Moreover, if an attack finally occurs, understanding it and the human behind the keyboard is the first step to successfully managing the situation.

Attacks can target stealing information, destroying your computer, modifying its functioning or the information content. Few types of attacks:

• Email / phone calls - based: #phishing / #vishing - someone announces you are eligible to receive amounts of money, in return for minor steps forward, such as updating your personal financial file; #spearphishing / #smishing - an automated call or text message informing a breach to your bank account, or a recent purchase in an online store which could have a login; #clonephishing - an almost identical or cloned email, using attachment or link taken from a legitimate, previously delivered email; #whaling - impersonating important persons (that is why it is also called "the president's attack") and asking for information; #spoofing - someone pretending to be a person or company known and trusted; #bombing - sending massive amounts of messages to your address, for example confirmation emails for newsletters and subscriptions; #spamming - unsolicited message.
• Baiting: use a false promise to speculate a victim's greed or curiosity, to steal personal information or inflict systems with malicious code. Physical media such as USB sticks, CDs, DVDs are widely used to disperse malware.
• Quid pro quo: give information in return (of gifts or favors); Tailgating: gaining access to an electronically restricted area; Scareware: sending information about false alarms and fictitious threats.

KEEP YOURSELF INFORMED

READ A LITTLE: You don't have to subscribe to all the cyber publications, but make sure you don't miss the news in the spotlight, so stay informed.

DOUBLE CHECK: Do not believe in promises, even if they are apparently validated by trusted people in your inner circle.

DON'T CLICK, DON'T ACCEPT GIFTS: Learn how to recognize the baits, they are full of juicy illusions!

KEEP TRACK OF PERSONAL ACTIVITY: If another person signs into your online accounts, you are likely to get a message about it. Don't ever ignore it, as can make the difference over whether you become a victim of a cyber criminal.

DON'T BELIEVE IN STRANGERS: Don't share any personal information about yourself with someone met on a chat on social networks. It may not be the person in the picture, even if it seems to be your soulmate, or a professional who understands and advices you.

Remember that beyond the enchanting image of the decorated Christmas tree, the mysterious Santa Claus is usually played by a great actor!