Social Engineering


The process by which intruders gain access to facilities, network, systems,
data and even employees by exploiting the generally trusting nature of

The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Reference: Chris Hadnagy, The Art of Human Hacking (Wiley, 2010)

Social Engineering Attack Types

  • Online
    • Phishing; Vishing; Whaling; Spear Phishing
    • Spoofing
  • Offline / Physical
    • Tailgating
    • Impersonation
    • Dumpster diving
    • Shoulder surfing
  • Either

Communications Spoofing / Fraud – Online

Phishing: sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.

Spear Phishing: sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.

Whaling: a phishing attack that is specifically aimed at wealthy, powerful, or prominent individuals.

Vishing: making phone calls or leaving voice messages purporting to be from reputable companies.

Pharming: traffic redirect to a spoofed web site

Variants – SMiShing

Hoax: Malicious actors issuing false warnings to alarm users

Swatting: Fraudulent calls to the police

Watering Hole Attack: A security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit.

Physical Social Engineering Attacks

Tailgating: Gaining entry to electronically locked systems is to follow someone through the door they just unlocked

Dumpster Diving: The practice of foraging in garbage that has been put out on the street in dumpsters, garbage cans, etc., for discarded items that may still be valuable, useful, or used to commit fraud.

Shoulder Surfing: watching someone “over their shoulder” when they enter sensitive data such as a password or credit card information.

Social Engineering – Principals

Reasons for effectiveness

  • Authority
  • Familiarity / Liking – ‘You like people who likes you’
  • Intimidation – ‘Uniformed officer’
  • Trust
  • Consensus / Social Proof
  • Urgency – ‘Quick train is leaving’
  • Scarcity – ‘Only two tickets available’
  • Reciprocity – ‘If I give you something you have to give me something’

Reference: Cialdini, Influence, Science and Practice, 5’“ ed, 2009

Social Engineering – Prevention

Continuous Education – Advisories always invents new methods of social engineering people mus educated regularly to avoid those.

“Trust, But Verify” – When you see something verify it. It may sounds like true but always verify.

“If you see something, say something” – When you suspects an email from bank, just call and confirm.

Leave a comment

Your email address will not be published. Required fields are marked *