Social Engineering

Social Engineering

  • Definition:

    • The process by which intruders gain access to facilities, network, systems, data, and even employees by exploiting the generally trusting nature of people.

    • The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Social Engineering Attack Types

  • Online

    • Phishing: Sending emails pretending to be from a reputable company in order to convince individuals to reveal personal information.

    • Vishing: Making phone calls or leaving voice messages purporting to be from reputable companies.

    • Whaling: A phishing attack that is specifically aimed at wealthy, powerful, or prominent individuals.

    • Spear Phishing: Sending emails ostensibly from a known or trusted sender in order to convince targeted individuals to reveal confidential information.

    • Spoofing

    • Pharming: Traffic redirected to a a spoofed website.

  • Offline & Physical

    • Tailgating: Gaining entry to electronically locked systems is to follow someone through the door they just unlocked.

    • Impersonation

    • Dumpster Diving: The practice of foraging in garbage that has been put out on the street in dumpsters, garbage cans, et cetera, for discarded items that may still be valuable, useful, or used to commit fraud.

    • Shoulder Surfing: Watching someone "over their shoulder" when they enter sensitive data such as a password or credit card info.

Communications Spoofing

  • Hoax: Malicious actors ussuing false warnings to alarm users.

  • Swatting: Fraudulent calls to the police.

  • Watering Hole Attack: A security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit.

Social Engineering Principles

  • Reasons for Effectiveness:

    • Authority

    • Intimidation

    • Consensus / Social Proof

    • Scarcity

    • Familiarity / Liking

    • Trust

    • Urgency

    • Reciprocity

Preventing Social Engineering

  • User education.

  • "Trust, but verify."

  • "If you see something, say something."