Social Engineering

What is Social Engineering?

Social engineering is manipulating someone into divulging information or taking action. These are usually done by receating normal interactions or situations and taking advantage of a potential victim’s natural/social tendencies and/or emotional reactions. They prey on the victim being nice or wanting to be helpful. They may also use worry or fear to get victims to react without thinking.

Common examples:

  • Baiting: Where a cybercriminal lays out some kind of bait for unsuspecting victims to take.
    • Leaving an infected USB drive labeled Confidential for a curious victim to plug into their computer.
    • A website offering free music or movie downloads which are infected with virus. (See also Malware.)
  • Pretexting: A compelling story, ploy, or fabricated scenario in order to gain information or invoke action.
    • A text message from a friend needing help. Except you ddin't know that your friend just had their phone stolen 5 minutes earlier.
    • An e-mail from a top level administrator requesting action. But you don't know the e-mail has been spoofed (forged).
  • Quid Pro Quo: Offering something in exchange for something else.
    • An IT Tech requesting a password in order for services to be provided. Only that the bad guy is impersonating an IT Tech.
    • Logging into a share to gain access to an important file your co-worker sent you. But your co-worker had their account hacked and a bad guy is now directing you to a fake share to copy your credentials you just entered.
  • Tailgating or piggybacking: Unauthorized individuals gaining access with the aid of your credentials.
    • You, being helpful, hold the door open for that nicely dressed young man struggling with all the party related items in his hands. Trouble is there is no party and the only thing nice about that young man is his clothes.
    • Reentering the building after a smoke break and allowing your fellow smoker to reenter with you. Only the smoker is not reentering the building as they are not an employee.
  • Scareware: Using worry or fear to trick the victim into believing something is true in order to get you to do something.
    • A pop-up message warns you that a virus has been found on your computer and you should call the number provided or download protection software from the provided link to fix it. Problem is everything is fake.
    • An e-mail informing you that they have comprising information about you or have access to one or more of your accounts and will remedy the situation if paid. Just to prove it's real, they provide you with some information (such as your previous password). The bad guys hopes your fear and worry will prompt you into action.
  • Watering hole: A fake look alike website or a real website that has been compromised.
    • You receive a call a company directing you to a website. The trouble is the caller, company and website are all fake.
    • You receive an e-mail declaring you have won a prize and need to claim it on the website. (See also Baiting above.) 
  • Phishing: Basically fake communications, usually from seeming trusted companies, friends, or co-workers. What makes these particularly effective is they often come from real accounts that have been hi-jacked. (See also Pretexting above.)

Tips to avoid becoming a victim:

  • Get educated
    •  SANS Security Awareness
      • ~31 videos (2-6 minutes per module)
      • Self-paced
      • Certificate awarded upon completion
      • CCSF employees can request this course via the Help Desk (helpdesk@ccsf.edu)
  • Slow down and think
  • Be wary
  • Ask questions
  • Follow established rules/protocols/procedures
  • Use Safe Computing Practices