by peter


Social Engineering Explained


Risk Rating: MEDIUM
Likelihood: 2/5
Impact: 3/5


  • Lack of Web Application firewall
  • Lack of monitoring
  • Poor coding

Social Engineering Overview

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.

For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

What you need to know about Social Engineering

The security company Norton has done a pretty good job of outlining some red flags that could be a sign of a social engineering attack. These apply across social and technological techniques, and are good to keep in the back of your mind as you try to stay on guard:

  • Someone you know sends an unusual message: Stealing or mimicking someone’s online identity and then mining their social circles is relatively easy for a determined attacker, so if you get a message from a friend, relative, or coworker that seems off, be very sure you’re really talking to them before you act on it. It’s possible that your granddaughter really is on a vacation she didn’t tell you about and needs money, or that your boss really does wants you to wire a six-figure sum to a new supplier in Belarus, but that’s something for you to triple-check before you hit send.
  • A stranger is making an offer that’s too good to be true: Again, we all laugh at the Nigerian prince emails, but many of us still fall for scams that trick us by telling us we’re about to get something we never expected and never asked for. Whether it’s an email telling you won a lottery you didn’t enter or a text from a weird number offering you a free gift card just for paying your phone bill on time, if it feels too good to be true, it probably is.
  • Your emotions are heightened and you have to act now: Social engineering scammers play on strong emotions—fear, greed, empathy—to inculcate a sense of urgency specifically so you don’t stop to think twice about scenarios like the ones we just outlined. A particularly pernicious technique in this realm is a tech support scam, which preys on people who are already nervous about hacks but not very tech savvy: you hear from an aggressive person who claims to be from Google or Microsoft, tells you that your system has been compromised, and demands that you change your passwords right away—tricking you into revealing your credentials to them in the process.

How social engineering attacks happens

The phrase “social engineering” encompasses a wide range of behaviours, and what they all have in common is that they exploit certain universal human qualities: greed, curiosity, politeness, deference to authority, and so on. While some classic examples of social engineering take place in the “real world” such as an attacker bluffing his way into an office building, much of our daily social interaction takes place online. You might not think of phishing, spearphishing or smishing as types of social engineering attacks, but both rely on tricking you—by pretending to be someone you trust or tempting you with something you want—into downloading malware onto your device.

Social engineering can represent a single step in a larger attack chain. A smishing text uses social dynamics to entice you with a free gift card, but once you tap the link and download malicious code, your attackers will be using their technical skills to gain control of your device, gaining your credentials and then exploiting that device.

Here are the 5 most common forms of Social Engineering

  1. Phishingas we noted above, which also includes text-based smishing and voice-based vishing These attacks are often low-effort but widely spread; for instance, a phisher might send out thousands of identical emails, hoping someone will be gullible enough to click on the attachment.
  2. Spear phishing,or whalingis a “high-touch” variation of phishing for high-value targets. Attackers spend time researching their victim, who’s usually a high-status person with a lot of money they can be separated from, in order to craft unique and personalised scam communications.
  3. Baiting is a key part of all forms of phishing and other scams as well—there’s always something to tempt the victim, whether a text with a promise of a free gift card or something much more lucrative or salacious.
  4. Pretexting involves creating a story, or pretext, to convince someone to give up valuable information or access to some system or account. A pretexter might manage to find some of your personally identifying information and use it to trick you—for instance, if they know what bank you use, they might call you up and claim to be a customer service rep who needs to know your account number to help with a late payment.
  5. Business email fraudscombine several of the above techniques. An attacker either gains control of a victim’s email address or manages to send emails that look like they’re from that address, then start sending emails to subordinates at work requesting the transfer of funds to accounts they control.

Attack Sources