Social Engineering
Social engineering exploits human psychology to manipulate people and gain unauthorized access to systems, data or physical locations.
What Is Social Engineering?
The art of manipulating people into revealing confidential information or performing actions that compromise security. It attacks the weakest link: the human.
Psychological Principles
Based on Robert Cialdini's 6 principles of influence:
1. Reciprocity
The tendency to return favors. The attacker offers something in order to ask for something later.
2. Commitment and Consistency
People tend to be consistent with prior commitments.
3. Social Proof
People follow the behavior of others. "Everyone does it".
4. Authority
The tendency to obey figures of authority.
5. Liking
We are more likely to say yes to people we like.
6. Scarcity
Urgency and fear of missing out on an opportunity.
Attack Techniques
Phishing
Fraudulent emails that appear legitimate.
- Spear Phishing: Targeted at specific individuals
- Whaling: Focused on executives (C-level)
- Clone Phishing: A legitimate email copied and modified
- BEC: Business Email Compromise
Vishing (Voice Phishing)
Phone-based attacks.
- Pretending to be from technical support
- Caller ID spoofing
- Urgency and emotional pressure
- Requesting confidential information
Smishing (SMS Phishing)
Phishing via SMS/text messages.
- Malicious links in SMS
- Fake bank notifications
- Fake prizes and offers
Pretexting
Creating an elaborate scenario (pretext) to obtain information.
- Assuming a false identity
- Building trust over time
- Using public information for credibility
Baiting
Offering something desirable in order to infect systems.
- USB drives "lost" in a parking lot
- Free downloads bundled with malware
- Prize offers
Quid Pro Quo
Exchanging a service for information.
- Pretending to be technical support offering help
- Requesting credentials to "fix a problem"
Tailgating/Piggybacking
Following an authorized person to enter a restricted area.
- Pretending to have forgotten a badge
- Carrying boxes so both hands are occupied
- Taking advantage of people's politeness
Phishing Red Flags
- Sender address does not match the organization
- Generic greetings ("Dear customer")
- Grammar and spelling errors
- Sense of urgency ("Immediate action required")
- Suspicious links (hover to see the real URL)
- Unexpected attachments
- Requests for confidential information
- Offers too good to be true
Attack Cycle
- Reconnaissance: Gathering information about the target
- Hook: Establishing initial contact
- Play: Executing the planned scenario
- Exit: Leaving without raising suspicion
OSINT for Social Engineering
Public information sources used by attackers:
- LinkedIn: Organizational structure, connections
- Facebook/Instagram: Personal life, hobbies
- Twitter: Opinions, interests
- Company Website: Structure, technologies used
- Job Postings: Technologies and tools
- Public Records: Addresses, phone numbers
Organizational Defenses
Security Awareness Training
- Regular training (quarterly)
- Phishing simulations
- Gamification for engagement
- Metrics: click rate, report rate
Technical Controls
- Email Security: SPF, DKIM, DMARC
- Anti-phishing: URL rewriting, sandbox
- MFA: Reduces the impact of stolen credentials
- Email banners: Alerts for external emails
Policies and Procedures
- Verification process for sensitive requests
- Clean desk policy
- Mandatory badge visibility
- Tailgating prohibition
- Visitor management procedure
Security Culture
- Encourage reporting of attempts
- Positive reinforcement, not punishment
- Leadership buy-in and example
- Security champions in every department
Phishing Simulations
Platforms
- KnowBe4: Leader in security awareness
- Cofense PhishMe: Realistic simulations
- Proofpoint: Security awareness training
- Gophish: Open-source phishing framework
Best Practices
- Start with easy simulations
- Increase difficulty gradually
- Immediate training for those who click
- Track progress over time
- Vary the types of attacks
Responding to Attempts
What to Do
- Do not click suspicious links or attachments
- Verify the sender through an alternative channel
- Report the email/attempt to the security team
- Do not provide confidential information
- Be wary of artificial urgency
If Compromised
- Notify the security team immediately
- Change passwords
- Monitor accounts for suspicious activity
- Do not hide the incident
Physical Security
Controls
- Badge access with logging
- Staffed reception desk
- Visible visitor badges
- Security cameras
- Man-trap entrances
- Secure document destruction
Famous Case Studies
Kevin Mitnick
A famous hacker who relied mainly on social engineering to gain access.
Target Breach (2013)
Started with spear phishing against an HVAC vendor, resulting in the theft of 40 million cards.
Ubiquiti Networks (2015)
A BEC attack resulted in a loss of $46.7 million through fraudulent wire transfers.
Social engineering remains the most effective attack vector because it exploits human nature. Technology alone cannot prevent these attacks. A combination of awareness training, security culture and technical controls is essential to defend organizations against manipulation. Remember: if it looks suspicious, it probably is.
