Social Engineering Practices
Social Engineering Defined
- Social engineering is the act of persuading unknown victims into disclosing information or allowing access to restricted areas by pretending to be someone else.
Examples of Social Engineering
- Posing as an employee from a company's ISP requesting access to the server/network room to replace equipment.
- Posing as a maintenance manager of a building requesting access to the server/network room to fix air conditioning units.
- Calling employees and posing as the helpdesk staff asking for remote access.
- Calling and posing as a bank employee asking for your confidential bank account information.
- Sending phishing emails pretending to be from a trusted source like friends, banks, or email providers.
Social Engineering Techniques
1. In-Person Social Engineering
- Eavesdropping - The social engineer attempts to listen-in to a private conversation to gather information. Some social engineers will use listening devices when eavesdropping
- Shoulder Surfing - Shoulder surfing is the act of spying on a user while they input confidential information.
- Dumpster Diving - Dumpster Diving is the act of searching for private documents in an organization or individual’s trash.
- Piggybacking - Piggybacking is a social engineering technique in which the attacker requests a legitimate company employee to allow them to use their credentials to gain access to a restricted area.
- Tailgating - Tailgating is a social engineering technique in which a social engineer follows behind a legitimate user in order to gain access to an area without having the proper credentials themselves Tailgating is different than Piggybacking in the sense that the attacker does not ask for the user's consent when tailgating like he would with piggybacking.
- Impersonation - Impersonation is the most common form of social engineering. During an impersonation attack, the social engineer pretends to be someone else.
2. Phone/Mobile Social Engineering
- Vishing (Voice Phishing) - The process of scamming users over the phone into disclosing private information.
- SMISHING (SMS Phishing) - SMISHING is the act of trying to trick users into disclosing private information via text messaging.
3. Computer-based Social Engineering
- Pop-up Error Messages - Pop-up messages on a user's computer are a common technique for persuading users to call the social engineer and disclose personal information.
- Instant Messaging Scams - Some social engineers will attempt to extract information from users using instant messaging programs such as the Facebook messaging app, WhatsApp, Viber, and others.
- Phishing - The act of sending emails that appear to come from a trusted source in order to convince a user to disclose information.
Their social engineering basic strategy is to prey on vulnerabilities in human nature, such as trust, fear, politeness, and helpfulness. Social engineers have done their research and are experts in manipulation.