Social engineering: understand the technique that poses a high risk to digital security

When it comes to cyberattacks , there's a lot of talk about codes and algorithms. But one technique has been gaining attention—all because it doesn't require any programming, just human contact—and that's social engineering.

It is a method of psychological manipulation widely used to make people reveal confidential information , take harmful action, or allow access to systems.

The technique has been used by criminals to carry out scams that bypass even the most advanced security technologies. The threat grows as people expose more personal information online and on social media.

If you'd like to stay informed and gain insight into this and other types of fraud that can occur digitally, sign up for the "In the Crosshairs of Scams" course . Taught by Chief of Police Emmanoel David, it's a Gazeta do Povo initiative.

How do criminals engage in social engineering?

According to delegate Emmanoel David, head of the Curitiba Fraud Division and specialist in Criminal Law, Criminal Procedure and Criminology, The success of social engineering scams lies in exploiting predictable human emotions and reactions, as humans are the weakest link in digital security. " Instead of the criminal directly attacking the machine, as in a brute force attack or attempted hacking, they exploit human behavior. It's almost psychological torture, based on a person's trust, fear of certain circumstances, or, in some cases, the exploitation of empathy ," he explains.

According to the police chief, digital social engineering is very effective because it's not fictitious: it uses real data from the victim . " It's effective because it exploits human emotions and because criminals have this information at their fingertips ."

Criminals—especially scammers who operate in person—are extremely skilled. " They use clickbait, guerrilla marketing techniques, and pay for Google Ads. They capture the victim's attention as if it were an advertising campaign ," he said.

" Criminals manipulate using trust, fear, urgency, and empathy. This is the case with the winning ticket scam, for example. Criminals know how to access the person's psyche: they see a supposed advantage, but in reality, they want to help the scammer. Today, more than 90% of online crimes use social engineering. It's much easier to launch a phishing scam and trick the victim into opening the system's backdoor than it is for the criminal to hack into that system alone ," he adds.

In times of digital scams—especially those carried out through social engineering—it's essential to strengthen your digital security. (Photo: Towfiqu Barbhuiya | Unsplash)

The delegate refers to a type of social engineering attack carried out via email or social media, in which offenders attempt to trick individuals into divulging sensitive personal information, such as passwords, credit card numbers or bank details , by posing as a trustworthy entity.

In addition to phishing , Emmanoel cites other social engineering scams, such as:

“ When someone calls you pretending to be a bank, This is vishing, a form of voice-based scam. Smishing, on the other hand, is done via text message (SMS). There are also scams carried out in person ," he explains.

What are the most common social engineering scams?

The police chief listed some of the main types of social engineering scams that have been frequently used. Check them out:

Cloned WhatsApp scam

The criminal, posing as an employee of the carrier or WhatsApp itself, obtains the verification code and accesses the victim's account. From there, they impersonate the victim and begin asking friends and family for money with plausible excuses, such as having exceeded their limit.

Phishing

As mentioned above, this is carried out via email or SMS, in which the scammer sends fake messages purporting to be from banks, the Federal Revenue Service, the National Institute of Social Security (INSS), or well-known stores , containing links that direct to fake websites. In this case, social engineering appeals to feelings of fear and urgency, with phrases like "Last chance to regularize your CPF" or "Suspicious activity in your account."

Fake call center

The criminal calls the victim posing as a bank employee and claims there have been hacking attempts or strange transactions in the account. From there, they convince the victim to provide passwords, tokens, or even transfer funds to supposedly secure accounts that actually belong to the scammers themselves.

What does Brazilian law guarantee regarding digital fraud?

David explains that social engineering in information security is considered a crime when used to commit scams.

Depending on how it is practiced, it can be classified under different criminal types provided for in Brazilian legislation, such as fraud , provided for in article 171 of the Penal Code, which is characterized by obtaining an illicit advantage to the detriment of others, through artifice, trickery or any other fraudulent means.

It can also be characterized as invasion of a computer device , provided for in article 154-A of the Penal Code, which deals with the invasion of computers, cell phones and other devices with the aim of obtaining, tampering with or destroying data without the owner's authorization.

It can also be classified as ideological falsehood , when the criminal inserts or alters false information in documents with the intention of harming or obtaining an advantage; or documentary forgery, which concerns the use or production of false documents for illicit purposes.

“ In addition to these crimes, sanctions provided for in the Internet Civil Rights Framework, which regulates internet use in Brazil, and the General Data Protection Law (LGPD) may also be applied, especially in cases involving the misuse of victims' personal information ,” he emphasizes.

How to protect yourself from social engineering attacks?

David states that social engineering is one of the biggest threats to cybersecurity today. " Today, technology is quite advanced; we have firewalls, antivirus software, and robust encryption to protect transactions. For example, a WhatsApp conversation between a mother and son is very secure because of encryption, but the weakest link in this system is the human being ." Therefore, it's important to protect yourself!

Thus, he lists a series of measures to avoid scams. " Be wary of situations that require urgency. Don't click on suspicious links and never provide personal information without confirming the other party's identity . Ask yourself: is this really your bank manager? Hang up, breathe, and break the sense of urgency. Call the bank directly or access it through the official channel. Check the URL: does the site have a genuine "https"? ", he recommends.

The expert also emphasizes the need for people to strengthen their digital presence. " Don't overexpose your life online. Use two-factor authentication whenever possible. This helps prevent criminals from gaining access even if they have your password ."

However, it's not just the user's job to protect themselves. Organizations need to train their employees to recognize manipulation attempts. " It's essential to implement information security policies and encourage awareness within the company, which should promote periodic awareness and prevention training against social engineering scams. Phishing simulations should also be conducted so employees learn to identify these threats. It's also important to conduct security tests, such as paytests, to assess system vulnerabilities ."

Furthermore, companies must create strong identity verification protocols for communications. " People who make external contacts must follow clear rules on how to prove their identity. Access to sensitive data must be limited ," he concludes.