Las tácticas de ingeniería social que los hackers aún usan hoy

Why social engineering will still dominate in 2025: data, context, and risks for your organization

Attackers prefer to deceive people rather than break into systems. This reality explains why these methods remain so effective.

The average exceeds 800 attempts per year per organization, and 99% of successful cyberattacks include social engineering. He phishing It remains in the lead: more than 300,000 complaints and losses exceeding $3 billion according to the FBI.

The impacts aren't just financial. There are operational disruptions, regulatory penalties, and a loss of trust. Intellectual property theft can erode your competitive advantage and end up in illicit markets.

Understand that these threats exploit mental shortcuts and trust, not technical failures.
Translate data into actions: simulations, continuous monitoring, and out-of-band controls.
Measure risk with simple indicators: click rate, reports, and response time.
Prioritize strong authentication and separation of critical functions.

If you strengthen training, procedures, and technical controls, you will improve your position in cybersecurity and you will reduce the window of opportunity for each attacker.

Social engineering: how it works, why it exploits human psychology, and where it can affect you.

Methods that manipulate trust and emotion allow an attacker to bypass technical controls. The social engineering manipulates the people to reveal credentials, provide information, or perform actions that compromise systems.

The recurring techniques are phishing, pretexting and baiting. These scripts take advantage of psychological principles such as urgency, authority, and reciprocity.

A well-orchestrated attack mixes channels and stages: reconnaissance, creation of the pretext, delivery of the link or file, validation, and monetization.

You'll see why the points of contact can be multiple and simultaneous. through email, SMS, calls and video calls.
Roles such as CFO, help desk and payroll are priority targets due to their access.
The vectors can be internal or from third parties; the risk increases with connected providers and apps.

Document attempts (headers, numbers, screenshots) and adopt a practical mindset: reasonable doubt, independent verification, and minimal data exposure to social engineering attacks.

Warning signs: urgency, emotional manipulation, and false relationships of trust

Detecting signs of human fraud helps you stop many intrusions before they cause harm. Pay attention when a message creates urgency or it appeals to emotions such as fear, guilt, or curiosity.

Common patterns in emails, calls, and text messages

In emailsLook for senders with suspicious domains, formatting errors, and requests for confidential information. Be wary of buttons that push you to... click without showing the full URL.

When making calls, verify your identity, check the return number, and never share codes or passwords. When making text messages, be wary of messages about deliveries, fines, or urgent access.

Recognize the artificial urgency before acting.
Identify emotional appeals designed to get you to reveal information.
An attacker can mimic signatures, domains, and internal phrases to gain trust.
Respond safely: do not reply, do not download, verify through another channel and report.

Remember: clear policies of security help that people Be aware that no one will ask for MFA or passwords via email, SMS, or phone. Pause, validate, and document every suspicious attempt.

Email phishing: the most popular and profitable attack for attackers

A deceptive link in the mailbox can result in data loss and internal access. Phishing combines low friction and high scale: an attacker sends thousands of messages, measures responses, and optimizes campaigns for quick results.

Emails with malicious links and cloned websites: how they trick you into clicking

A well-crafted email uses lookalike domains, real logos, signatures, and a compelling call to action (CTA) that links to a cloned website. Before clicking, inspect the URL and manually type the address into your browser.

Recent cases and practical learning

Real-world example: MGM Resorts suffered a breach after a call to their help desk. Attackers used LinkedIn data to bypass security checks and gain access to internal systems.

Threat	Common vector	Recommended control	Immediate action
Phishing with link	Email with cloned website	Filters, external banners, DMARC	Inspect URL, isolate team
Malicious attachments	ZIP file, Excel file with macros	Quarantine and macro blocking	Do not open, notify the SOC
Telephone engineering	Calls to the help desk	Secondary channel verification	Change credentials, revoke sessions

In 2024 The FBI received over 300,000 phishing complaints and losses exceeding $1 billion. If you have any doubts, forward them to the security team: reporting early stops campaigns in minutes.

Business Email Compromise and CEO Fraud: When an email looks legitimate… but isn't

Emails that appear legitimate are behind multi-million dollar corporate scams. In 2024, the FBI estimated that BEC caused adjusted losses exceeding $4.4 billion.

This type of fraud differs from mass phishing because the message is targeted and adapted to your context. organizationThe objective is usually money, information, or access to critical systems.

Losses and how AI enhances deception

AI improves writing, tone, and timing. attacker It can mimic the written voice of an executive and request transfers or sensitive data.

Example: the Snapchat payroll leak

In 2016, employees handed over payroll information after receiving an email that appeared to be from CEO Evan Spiegel. Personal and financial data was exposed.

Detects minimal changes in addresses and atypical requests.
Control transfers with limits and dual-channel verification.
Segregate approval functions and records access and anomalies.
Scale to legal and banks if you identify exposure of confidential information.

Implement alert rules for payment requests and block suspicious senders. This reduces response time and mitigates damage to intellectual property and other assets.

Pretexting: convincing stories to steal data and access

A convincing and well-executed script can get someone in finance to authorize millions without suspicion.

Pretexting It's about creating a plausible story to request payments, access, or confidential informationThe goal is that people act without verifying.

From CFO to urgent payment: the $2.1 million case

In 2024, a US manufacturer lost $2.1M after receiving calls and emails from people pretending to be executives and legal advisors.

It was a coordinated sequence: calls that reinforced emails with instructions and time pressure.

FBI alerts to the health sector

The FBI reported scams involving people impersonating authorities. Victims received fake summonses and threats of arrest.

The demands requested transfers, cash by mail, or payments in cryptocurrencies.

Verify identity through official channels and demand verifiable documentation.
Strengthen approvals for urgent payments; don't skip steps under pressure.
Use checklists for any order of data or PII.
Train response: pause, validate, scale, and document each attempt.

Example	Vector	Psychological pressure	Recommended control
Fake CFO requests transfer	Calls + email	Urgency and authority	Official phone verification and double approval
Impersonation of medical authority	Email with threats	Fear of legal consequences	Confirmation on the official portal and report to the SOC
Fake legal advisor	Attached documents	Professional trust	Request a real contract and internal legal review

Smishing and vishing: social engineering through SMS and calls

SMS and call attacks take advantage of mobility and haste to convince you in seconds. They work outside of business hours and when you're away from corporate systems, which is why they're effective against people and support.

In July 2020, a vishing attack allowed attackers to obtain Twitter employee credentials and access 130 verified accounts. They posted tweets, raised over 100,000 bitcoin, and the stock fell 71% in premarket trading.

What to do and how to recognize them

Difference between smishing (SMS) and vishing (calls): the former uses links or codes to pressure; the latter uses pretexts to reset access.
Do not share MFA codes over the phone or via SMS; hang up and call the official number.
Configure SIM swap protection, blocklists, and reset logs to audit changes.

Practical policy: Support will never ask for passwords or codes over the phone or via text message. Train your help desk team and conduct controlled tests.

If you want to delve deeper into vishing and smishing tactics, check out this guide on vishing, smishing and phishing to improve your posture cybersecurity.

Clone phishing: when the “follow-up message” is the real attack

When you receive a "fixed" message, it's sometimes the entry point an attacker is looking for. clone phishing It replicates a legitimate email and replaces links or attachments with malicious versions.

The process is simple: they select a real email address, clone the format, change the links, and forward it as if it were an update. Replying confirms your address and provides useful metadata for future campaigns.

Why does it work? Because it leverages the trust already established by the original message. That's why you should verify any follow-up through an alternative channel before opening links or files.

Check for slight variations in URLs and "updated" attachments.
Do not reply from the same thread: contact the person by phone or official portal.
It establishes link rewriting, sandboxing, and banners that warn about external senders.

Risk	Indicator	Control
Credential theft	Lookalike link to a login website	Link inspection and blocking of suspicious domains
Malware installation	Attached is the "corrected" version with macros	Sandboxing and macro blocking
Objective confirmation	Response to the email that validates the address	Policy: Verify via secondary channel and report to the SOC

Adopt a culture of constant verificationBefore opening corrected versions of invoices, contracts, or access agreements, review a checklist and align suppliers to validate domains and delivery methods.

Voice and video deepfakes: the new frontier of real-time impersonation

Synthetic voices and videos are no longer just a theoretical risk. In 2020, a cloned voice allowed the authorization of a transfer of $35M, and in 2024, an energy company sent $25M after a real-time deepfake video call.

These incidents demonstrate how an attacker combines emails, calls, and fake validations to achieve their objectives. You need to understand how deepfakes are created and why they fool even experienced teams.

What you can do now:

It establishes verbal passwords and out-of-band verification for sensitive instructions.
Introduce delays and multiple approvals on high-value transfers.
Run impersonation simulations to prepare finance and leadership.

Risk	Sign	Control	Immediate action
Voice-authorized transfer	Unusual intonation or latency	Verbal password and double approval	Pause the transfer and verify by official phone number
Meeting with a false image	Lip desynchronization or irregular blinking	Detection tools + human verification	Record, isolate, and report to the legal and SOC team
Email confirmations	Messages that reinforce the request across various channels	"No transfer" policy without in-person or legal confirmation	Request a signed document and accounting review

Adopt a verifiable stance of distrustNo matter who appears to be giving the order, always verify through independent channels before transferring money or data.

Quid pro quo and callback phishing: “I’ll help you with support” in exchange for your system

Receiving a voicemail asking you to call back is now a common way to install remote tools. In 2024, callback phishing attacks increased: attackers leave messages impersonating IT and request that you call back to resolve a supposed problem.

The quid pro quo It works by offering help in exchange for access. They ask you to install software remote desktop access or running a file. Then they leverage that access to deploy ransomware either malware that encrypts data and paralyzes systems.

Fake voicemails and support impersonation

An actor impersonated Apple support and managed to steal credentials, answers to security questions, and payment data from celebrities and athletes.

Validate any ticket through the official portal before returning a call.
Do not install tools that are not on the whitelist approved by your team. security.
Use temporary session codes and log each remote attendance.

Vector	Sign	Risk	Control
IT Voicemail	Request a refund and urgency	Remote software installation and ransomware	Portal verification and double confirmation
Counterfeit support (recognized brand)	Request credentials and ask questions	Account theft and data access	Policy: Do not share credentials; file complaints through official channels.
Unauthorized remote connection	Session started without ticket	Lateral movement and exfiltration	Whitelists, logging, and post-session monitoring

Baiting: from "forgotten" USB drives to "free" software or multimedia downloads

A simple USB drive left in a room can be the trap that compromises your network. Baiting offers something attractive —software, gift cards, or downloads— to get you to connect a device or install a file.

Tests by the Department of Homeland Security showed that 60% of people who found USB drives connected them to their computers. If the USB drive had an official logo, that rate rose to 90%.

This explains why Attackers disguise malware as software players, codecs, or cracks. The goal is to execute code and steal system information or credentials.

Psychology: Curiosity and immediate reward often overcome caution.
Technical controls: Block USB ports, removable media policies, and automatic scanning.
Download evaluation: Verify origin, checksum, and digital signature before installing.
Practical answer: quarantine of external devices and endpoint controls that stop malware from entering the system on the first attempt.
Awareness: Internal campaigns and clear rules to avoid falling into one-off offers or quid pro quo.

Type of bait	Risk	Recommended control	Immediate action
USB found	Malware installation	Port blocking and scanning	Quarantine and analyze in a sandbox
"Free" software download	Malicious installer	Signature and checksum verification	Download only from the official provider
Gift card or prize	Phishing for credentials	Policy of not claiming prizes without confirmation	Report and record the attempt

Document and report every attempt to break malicious distribution chains. If in doubt, don't connect or run anything: verify through official channels and protect your systems.

Scareware: Fake malware alerts that install malware

The scareware It uses pop-up windows and alarmist messages to force you to react quickly.

A clear example It was "Antivirus XP," which charged users for a fake product. In 2019, Office Depot and Support.com agreed to pay $1,435 million after complaints about techniques that sold unnecessary services based on a fake "PC Health Check."

You will recognize this guy pop-up attacks that simulate immediate scans and detections through from the browser. Its goal is for you to download an installer or pay for a cleanup.

Close the window without downloading anything and do not call any numbers that appear in the ad.
Trust only legitimate solutions from security with verified licenses.
Implement domain blocklists and harden the browser against automatic downloads.
Use minimal privileges to prevent an installer from compromising the system.

Review endpoint telemetry to identify scareware campaigns and escalate them to IT before paying or installing. Educate the team to be wary of messages promising "magical" fixes or pressuring for immediate payments.

Risk	Sign	Action
Malware installation	Popup with urgent scan	Close, scan with legitimate antivirus
Data loss	Payment/Registration Request	Block domain and report to SOC
System commitment	Automatic patch download	Revoke permissions and restore from backup

Watering hole: compromising the sites that you and your sector visit most

A trustworthy website can become the trap that allows access to yours systems critical. Attackers choose industry-specific portals and inject code that identifies visitors and delivers malicious payloads.

In 2021, a contractor's website in Florida was used to profile visitors and ultimately install remote desktop software at a water treatment plant. The perpetrator attempted to manipulate chemical levels until an operator reversed the change.

You'll see why fingerprinting scripts are key: they gather information about the browser and the device to decide whether to launch a payload. That's why vendor hygiene is essential for your defense.

Isolate the browser and apply untrusted download blocking.
Segment the grid so that a committed team does not affect OT processes.
It requires suppliers to provide up-to-date patches and integrity reports for their sites.
Check telemetry to detect installations of access unauthorized remote access.

Risk	Indicator	Control
Third-site commitment	Traffic to unusual domains	Browser isolation and whitelisting
Remote access installation	RDP/remote connections from external IPs	Telemetry monitoring and port blocking
Data exfiltration	Unusual uploads to external domains	Segmentation, backups, and response plan

Practice cross-functional exercises between OT and IT, establish plans to sever communications, and maintain backups. This reduces the window of opportunity for these incidents. cyber threats and improvements protection of your data.

Tailgating and physical access: when opening a door means opening your network

A simple gesture at the entrance, like holding the door, is enough to expose the grid of your organization.

He tailgating or piggybacking allows an intruder to follow people authorized and obtain access to restricted areas. From busy hands to fake work clothes, the methods are simple and effective.

Understand why physical access remains a vector that circumvents logical controls.
Don't hold doors open out of habit; ask for identification and report it to security.
Implement turnstiles, cards, cameras and mandatory escorted registration.
Secure racks and server rooms with locks and opening sensors.
Check inventory of keys and cards; rotate credentials when staff or suppliers leave.

Sign	Control	Immediate action
Person without credentials in a secure area	Mandatory escort and turnstile	Verify identity and report to the team security
Unverified contractor	Visitor registration and escort	Suspend access until validation
Disturbance in server room	Locks, sensors and cameras	Isolate area and audit access to systems

Conduct tailgating simulations to measure awareness and improve your barriers. Integrate physical security and IT for a coordinated response to these incidents. threats.

Ransomware as a consequence of social engineering: from phishing to extortion

A stolen credential opens doors: the attacker uses legitimate access to move around the grid, deploy ransomware and encrypt critical data. In January 2025, a pharmaceutical distributor halted vaccine shipments after VPN credentials were compromised through phishing.

From stolen credentials to paralyzed operations

The flow is clear: initial phishing, remote access, and lateral movement until compromised. systems operations.

The result could be mass encryption, theft of intellectual property and supply chain disruption.

Layered protection and incident response

Protect with MFA in VPN, network segmentation, and EDR/XDR. Maintain verified backups and continuous patching processes.

Risk	Control	Immediate action
VPN access compromised	MFA + startup monitoring	Revoke sessions and reset credentials
Encrypted by ransomware	Offline backups and segmentation	Containment and restoration from backup
Data exfiltration	Data-at-rest encryption and DLP	Notify legal authorities and law enforcement

Prepare a plan of containment, eradication, and communication. Evaluate the payment decision with legal counsel and authorities. Conduct technical and tabletop simulations to reduce time and measure the effectiveness of your protection and cybersecurity.

Social engineering 2025: practical measures to reduce risk today

Protecting your company requires concrete measures that reduce the window of opportunity for anyone trying to deceive your team.

Authentication, passwords and managers

You will configure MFA in all critical accounts and you will strengthen policies of secure passwords with reliable managers.

It requires unique and complex passwords, locking after failed attempts, and rotation on accounts with access to sensitive data.

VPN, segmentation, and device protection

You will isolate communications with VPN and segmentation of the grid to limit lateral movement.

Keep devices up to date and with software security capable of stopping malware in real time.

Awareness, intelligence, and simulations

You will implement ongoing training with simulations of phishing, vishing and pretexting.

It integrates threat intelligence to update response controls and playbooks.

Advanced detection and response

Evaluates EDR/XDR with automatic response that can help to contain and eradicate incidents at machine speed.

Solutions like SentinelOne Singularity can help with automatic isolation and real-time protection backed by threat intelligence.

Define whitelists and minimum privileges in each system.
Document a response plan with roles and regular exercises.
Prioritize third-party audits and risk management.

Control	Benefit	Immediate action
MFA + managers	Reduces credential theft	Force MFA on critical accounts
VPN + segmentation	It limits lateral movement.	Segment networks and apply ACLs
EDR/XDR	Automatic detection and remediation	Evaluate solutions with insulation

Conclusion

Conclusion

The reality is that most incidents begin with a manipulated human interaction. You've read real-world cases—MGM, Snapchat, Twitter, and deepfakes—that show how a simple action can trigger losses and ransomware attacks.

You gain a clear understanding: these threats permeate processes, data, and information. You also receive practical guidance for identifying attacks and a map of tactics (phishing, BEC, pretexting, vishing, cloning, deepfakes, baiting, and more).

Prioritize controls: MFA, strong passwords and password managers, VPN and segmentation, ongoing training, and EDR/XDR. Translate this guide into a quarterly plan with assigned responsibilities and KPIs.

Cybersecurity starts with daily habits. Schedule simulations and reviews to stay one step ahead of social engineering attacks.