Social Engineering

Social engineering exploits human psychology to manipulate people and gain unauthorized access to systems, data or physical locations.

What Is Social Engineering?

The art of manipulating people into revealing confidential information or performing actions that compromise security. It attacks the weakest link: the human.

Psychological Principles

Based on Robert Cialdini's 6 principles of influence:

1. Reciprocity

The tendency to return favors. The attacker offers something in order to ask for something later.

2. Commitment and Consistency

People tend to be consistent with prior commitments.

3. Social Proof

People follow the behavior of others. "Everyone does it".

4. Authority

The tendency to obey figures of authority.

5. Liking

We are more likely to say yes to people we like.

6. Scarcity

Urgency and fear of missing out on an opportunity.

Attack Techniques

Phishing

Fraudulent emails that appear legitimate.

  • Spear Phishing: Targeted at specific individuals
  • Whaling: Focused on executives (C-level)
  • Clone Phishing: A legitimate email copied and modified
  • BEC: Business Email Compromise

Vishing (Voice Phishing)

Phone-based attacks.

  • Pretending to be from technical support
  • Caller ID spoofing
  • Urgency and emotional pressure
  • Requesting confidential information

Smishing (SMS Phishing)

Phishing via SMS/text messages.

  • Malicious links in SMS
  • Fake bank notifications
  • Fake prizes and offers

Pretexting

Creating an elaborate scenario (pretext) to obtain information.

  • Assuming a false identity
  • Building trust over time
  • Using public information for credibility

Baiting

Offering something desirable in order to infect systems.

  • USB drives "lost" in a parking lot
  • Free downloads bundled with malware
  • Prize offers

Quid Pro Quo

Exchanging a service for information.

  • Pretending to be technical support offering help
  • Requesting credentials to "fix a problem"

Tailgating/Piggybacking

Following an authorized person to enter a restricted area.

  • Pretending to have forgotten a badge
  • Carrying boxes so both hands are occupied
  • Taking advantage of people's politeness

Phishing Red Flags

  • Sender address does not match the organization
  • Generic greetings ("Dear customer")
  • Grammar and spelling errors
  • Sense of urgency ("Immediate action required")
  • Suspicious links (hover to see the real URL)
  • Unexpected attachments
  • Requests for confidential information
  • Offers too good to be true

Attack Cycle

  1. Reconnaissance: Gathering information about the target
  2. Hook: Establishing initial contact
  3. Play: Executing the planned scenario
  4. Exit: Leaving without raising suspicion

OSINT for Social Engineering

Public information sources used by attackers:

  • LinkedIn: Organizational structure, connections
  • Facebook/Instagram: Personal life, hobbies
  • Twitter: Opinions, interests
  • Company Website: Structure, technologies used
  • Job Postings: Technologies and tools
  • Public Records: Addresses, phone numbers

Organizational Defenses

Security Awareness Training

  • Regular training (quarterly)
  • Phishing simulations
  • Gamification for engagement
  • Metrics: click rate, report rate

Technical Controls

  • Email Security: SPF, DKIM, DMARC
  • Anti-phishing: URL rewriting, sandbox
  • MFA: Reduces the impact of stolen credentials
  • Email banners: Alerts for external emails

Policies and Procedures

  • Verification process for sensitive requests
  • Clean desk policy
  • Mandatory badge visibility
  • Tailgating prohibition
  • Visitor management procedure

Security Culture

  • Encourage reporting of attempts
  • Positive reinforcement, not punishment
  • Leadership buy-in and example
  • Security champions in every department

Phishing Simulations

Platforms

  • KnowBe4: Leader in security awareness
  • Cofense PhishMe: Realistic simulations
  • Proofpoint: Security awareness training
  • Gophish: Open-source phishing framework

Best Practices

  • Start with easy simulations
  • Increase difficulty gradually
  • Immediate training for those who click
  • Track progress over time
  • Vary the types of attacks

Responding to Attempts

What to Do

  • Do not click suspicious links or attachments
  • Verify the sender through an alternative channel
  • Report the email/attempt to the security team
  • Do not provide confidential information
  • Be wary of artificial urgency

If Compromised

  • Notify the security team immediately
  • Change passwords
  • Monitor accounts for suspicious activity
  • Do not hide the incident

Physical Security

Controls

  • Badge access with logging
  • Staffed reception desk
  • Visible visitor badges
  • Security cameras
  • Man-trap entrances
  • Secure document destruction

Famous Case Studies

Kevin Mitnick

A famous hacker who relied mainly on social engineering to gain access.

Target Breach (2013)

Started with spear phishing against an HVAC vendor, resulting in the theft of 40 million cards.

Ubiquiti Networks (2015)

A BEC attack resulted in a loss of $46.7 million through fraudulent wire transfers.

Social engineering remains the most effective attack vector because it exploits human nature. Technology alone cannot prevent these attacks. A combination of awareness training, security culture and technical controls is essential to defend organizations against manipulation. Remember: if it looks suspicious, it probably is.