Social Engineering

What is Social Engineering?

Social engineering is manipulating someone into divulging information or taking action. These are usually done by recreating normal interactions or situations and taking advantage of a potential victim’s natural/social tendencies and/or emotional reactions. They prey on the victim being nice or wanting to be helpful. They may also use worry or fear to get victims to react without thinking.

  • Baiting: Where a cybercriminal lays out some kind of bait for unsuspecting victims to take.
    • Leaving an infected USB drive labeled Confidential for a curious victim to plug into their computer.
    • A website offering free music or movie downloads which are infected with virus. (See also Malware.)
  • Pretexting: A compelling story, ploy, or fabricated scenario in order to gain information or invoke action.
    • A text message from a friend needing help. Except you didn't know that your friend just had their phone stolen 5 minutes earlier.
    • An e-mail from a top level administrator requesting action. But you don't know the e-mail has been spoofed (forged).
  • Quid Pro Quo: Offering something in exchange for something else.
    • An IT Tech requesting a password in order for services to be provided. Only that the bad guy is impersonating an IT Tech.
    • Logging into a share to gain access to an important file your co-worker sent you. But your co-worker had their account hacked and a bad guy is now directing you to a fake share to copy your credentials you just entered.
  • Tailgating or piggybacking: Unauthorized individuals gaining access with the aid of your credentials.
    • You, being helpful, hold the door open for that nicely dressed young man struggling with all the party related items in his hands. Trouble is there is no party and the only thing nice about that young man is his clothes.
    • Reentering the building after a smoke break and allowing your fellow smoker to reenter with you. Only the smoker is not reentering the building as they are not an employee.
  • Scareware: Using worry or fear to trick the victim into believing something is true in order to get you to do something.
    • A pop-up message warns you that a virus has been found on your computer, and you should call the number provided or download protection software from the provided link to fix it. Problem is everything is fake.
    • An e-mail informing you that they have comprising information about you or have access to one or more of your accounts and will remedy the situation if paid. Just to prove it's real, they provide you with some information (such as your previous password). The bad guys hope your fear and worry will prompt you into action.
  • Watering hole: A fake look-alike website or a real website that has been compromised.
    • You receive a call from a company directing you to a website. The trouble is the caller, company and website are all fake.
    • You receive an e-mail declaring you have won a prize and must claim it on the website. (See also Baiting above.)
  • Honeytraps (romance scams): The bad actors set up fake accounts on social dating websites or apps to target their victims.
    • You find the love of your life who wants you to show your love by providing gifts, cash or services.
    • The bad actors may pose as active military personnel (or other types) to avoid meeting in person.
  • Impersonation: The bad actor dresses up as common vendors (e.g. delivery personnel, plumbers, electricians) or even company employees to reduce suspicion but allow them access to physical locations.
    • A person wearing a hard hat and safety vest and carrying a clipboard is not necessarily an authorized vendor.
    • Bad actors know most people never question the identity of others and tend to try to be helpful.
  • Phishing: Basically fake communications, usually from seeming trusted companies, friends, or co-workers. What makes these particularly effective is they often come from real accounts that have been hi-jacked. (See also Pretexting above.)