Social engineering is the art of manipulating people to divulge confidential information or perform actions that compromise security.

What is Social Engineering?

Social engineering exploits human nature and psychological vulnerabilities to gain access to systems, data or sensitive information.

Psychological Principles

Authority

• Impersonation: Impersonate authority figures
• Uniforms: Use official clothing or credentials
• Titles: Use false professional titles

Urgency

• Limited time: Create sense of urgency
• Consequences: Threaten with problems
• Unique opportunity: Make believe it’s the only chance

Reciprocity

• Favors: Do favors to obtain information
• Gifts: Offer something in return
• Help: Simulate need for help

Consistency

• Commitments: Make victim commit
• Values: Appeal to personal values
• Identity: Use person’s identity

Social Engineering Techniques

Phishing

Email Phishing

• Malicious emails: Emails that look legitimate
• False links: URLs that redirect to malicious sites
• Attachments: Documents with malware

Spear Phishing

• Targeted attacks: Focused on specific people
• Personal information: Use of known data
• Relevant context: Work-related information

Whaling

• Executives: Attacks on senior executives
• Sensitive information: Access to critical data
• Authority: Use of authority position

Vishing (Voice Phishing)

Phone Calls

• Impersonation: Impersonate technical support
• Urgency: Create emergency situations
• Authority: Simulate being from IT or security

Vishing Techniques

• Caller ID spoofing: Fake phone number
• Recordings: Use voice recordings
• Scripts: Predefined scripts

Baiting

Physical Devices

• Malicious USB: Pendrives with malware
• CDs/DVDs: Media with malicious software
• Lost devices: Simulate device loss

Baiting Techniques

• Curiosity: Exploit natural curiosity
• Strategic location: Place in visible locations
• Legitimate appearance: Make them look official

Quid Pro Quo

Favor Exchange

• Technical help: Offer help in exchange for information
• Services: Promise free services
• Information: Exchange information

Quid Pro Quo Techniques

• Mutual benefit: Make believe both benefit
• Trust: Build trust relationship
• Reciprocity: Exploit desire to return favors

Pretexting

False Scenarios

• Investigations: Simulate official investigations
• Audits: Pretend to be from audit
• Technical support: Impersonate support

Pretexting Techniques

• Prior research: Gather information about victim
• Consistency: Keep story coherent
• Credentials: Use false credentials

Attack Vectors

In-Person

• Tailgating: Follow authorized persons
• Shoulder surfing: Observe passwords
• Dumpster diving: Search for information in trash

Digital

• Social networks: Gather personal information
• Phishing: Fake emails and sites
• Malware: Malicious software

Telephone

• Vishing: Malicious calls
• SMS phishing: Text messages
• WhatsApp: Messages in applications

Protection Against Social Engineering

Awareness

• Regular training: Continuous personnel education
• Simulations: Controlled phishing tests
• Real cases: Share attack examples

Policies and Procedures

• Verification: Always verify identities
• Processes: Establish verification processes
• Escalation: Incident reporting channels

Technical Controls

• Email filters: Block malicious emails
• Antivirus: Protection against malware
• Firewalls: Network traffic control

Attack Detection

Warning Signs

• Urgent requests: Time pressure
• Personal information: Questions about personal data
• Suspicious links: URLs that don’t match
• Attachments: Unexpected documents

Verification

• Direct contact: Call person directly
• Official channels: Use official communication channels
• Cross-checking: Confirm with multiple sources

Incident Response

Immediate Steps

1. Do not provide information: Do not give sensitive data
2. Document: Record the incident
3. Report: Notify security team
4. Change credentials: If compromised

Investigation

• Forensic analysis: Investigate the incident
• Identification: Determine scope
• Remediation: Implement controls

Testing Tools

Phishing Simulations

• Gophish: Phishing platform
• King Phisher: Phishing tool
• LUCY: Awareness platform

Social Network Analysis

• Maltego: OSINT tool
• theHarvester: Information gathering
• Recon-ng: Reconnaissance framework

Reference Frameworks

NIST SP 800-50

• Building an Information Technology Security Awareness and Training Program
• Components: Awareness, training, education
• Metrics: Effectiveness measurement

ISO 27001

• A.7.2.2: Information security awareness
• A.8.2.2: Classified information management
• A.13.2.1: Information transfer policies

Related Concepts

• Ethical Hacking - Methodology that includes social engineering
• Penetration Testing - Technique that includes social engineering
• Attack Vectors - Attack method that includes social engineering
• Security Breaches - Incidents caused by social engineering
• Incident Response - Process that includes social engineering
• CISO - Role that oversees social engineering
• General Cybersecurity - Discipline that includes social engineering
• SIEM - System that detects social engineering
• SOAR - Automation that prevents social engineering
• EDR - Tool that detects social engineering
• Firewall - Device that prevents social engineering
• Antivirus - Tool that prevents social engineering

References

• NIST SP 800-50
• ISO/IEC 27001
• SANS Security Awareness
• OWASP Social Engineering