Social Engineering
What Is Social Engineering?
Manipulating people into revealing information or performing actions that compromise security. Exploits human psychology, not technical vulnerabilities.
Core Principles Used
| Principle | How It’s Exploited |
|---|---|
| Authority | Impersonate executives, IT, law enforcement |
| Urgency | ”Act now or your account will be closed” |
| Scarcity | ”Limited time offer / access” |
| Social proof | ”Everyone else has already done this” |
| Liking/Trust | Establish rapport before the ask |
| Reciprocity | Do a favor first, then ask for something |
| Intimidation | Threatening consequences |
Phishing Variants
| Attack | Description |
|---|---|
| Phishing | Mass deceptive emails to harvest credentials or install malware |
| Spear phishing | Targeted phishing using personal/organizational info |
| Whaling | Spear phishing targeting C-suite executives |
| Vishing | Voice phishing via phone call |
| Smishing | SMS-based phishing |
| Pharming | Redirects users from legit site to fake one (DNS poisoning) |
| Angler phishing | Fake social media customer service accounts |
Business Email Compromise (BEC)
Attacker impersonates a trusted figure (usually an exec) to trick employees into transferring money or sensitive data.
Common BEC scenarios:
- CEO fraud: "Wire $50K to this vendor immediately"
- Invoice fraud: Attacker intercepts/replaces invoice with their account
- Attorney impersonation: "Urgent legal matter — send funds"
- W-2 scam: "Send all employee W-2s for audit"Enablers:
- Compromised email account (account takeover)
- Spoofed From address (SPF/DKIM not enforced)
- Domain lookalike (paypa1.com vs paypal.com)
Defenses:
- DMARC / DKIM / SPF enforcement
- Out-of-band verification for any wire transfer
- User awareness training
- Email banners for external senders
Pretexting
Creating a fabricated scenario (pretext) to extract information.
Examples:
- IT support calling to "fix your account" (needs password)
- Fake survey asking security questions
- Impersonating a vendor to get access credentialsWatering Hole Attack
Compromising a website frequently visited by the target group, then infecting visitors.
Process:
1. Profile target — what sites do they visit?
2. Compromise that site (inject malicious code)
3. Wait for target to visit → drive-by download
Used by: Nation-states targeting specific industriesImpersonation Techniques
| Technique | Description |
|---|---|
| Tailgating / Piggybacking | Physically following someone through a secured door |
| Identity spoofing | Claiming to be someone else (phone, email, in-person) |
| Dumpster diving | Recovering sensitive info from trash |
| Shoulder surfing | Watching someone enter a PIN or password |
| Eavesdropping | Listening to sensitive conversations |
Typosquatting / URL Manipulation
Techniques:
- Typosquatting: gooogle.com, paypa1.com
- Homograph attack: using Unicode characters that look like ASCII
- Subdomain tricks: paypal.com.attacker.com
- URL shorteners to hide destinationDefenses Against Social Engineering
Technical:
- Email authentication (SPF / DKIM / DMARC)
- Web filtering / URL inspection
- MFA (reduces impact of credential theft)
- Spam / phishing filters
Administrative:
- Security awareness training
- Simulated phishing campaigns
- Clear procedures for fund transfers (require voice confirmation)
- Callback verification procedures
Physical:
- Mantrap / access control vestibules
- Visitor badges and escort policies
- Clean desk policy
- Shredding sensitive documents