Planning and Executing a Social Engineering Attack
What is Social Engineering?
Social engineering is the act of manipulating people, so they surrender confidential information.
The types of information these hackers are seeking can vary, but when individuals are targeted
usually, they try to trick you into giving them your passwords or bank information or access
your computer to secretly install malicious software. This will give them access to your
passwords and bank information and also give them control over your computer.
Social engineering tactics are used because it is usually easier to exploit your natural inclination
to trust than it is to discover ways to hack your software. For example, it is much easier to trick
someone into giving you their password than it is to attempt hacking their password.
Impacts of Social Engineering:
Reputation image (company and/or person)
Loss of public trust
Loss of new or existing customers
Loss of company morale
Increased audit costs
Your enemy is a social engineer, an attacker who focuses on attacking people instead of
computers and uses psychological tricks and manipulation to succeed.
Profile of a social engineer
They take advantage of well-known characteristics of human decision-making for instance:
- Respect for authorities (by pretending to be one)
- Curiosity (by offering something intriguing)
- Feeling of urgency often coupled with greed or fear
- Our willingness to help others
Ways to perform a Social Engineering Attack?
There are many methods to perform a social Engineering attack. Some of them are described
below as follows:
1. Phishing: Attackers use emails, social media and instant messaging, and SMS to trick
victims into providing sensitive information or visiting malicious URL in the attempt to
compromise their systems.
2. Phone: Attacker can manipulate the victim to get confidential information such as: Any
password, credit card information and etc. via calling him or her.
3. Watering whole: A watering hole” attack consists of injecting malicious code into the
public Web pages of a site that the targets used to visit. The method of injection is
commonly used by cyber criminals and hackers. The attackers compromise websites
within a specific sector that are usually visited by specific individuals of interest for the
Once a victim visits the page on the compromised website a backdoor trojan is installed
on his computer. Watering Hole method of attacks is very common for cyber
espionage operation or state-sponsored attacks.
4. Pretexting: It is the practice of presenting oneself as someone else to obtain private
information. Usually, attackers create a fake identity and use it to manipulate the
receipt of information.
5. Dumpster Diving: Attacker can also search trash to obtain information.
Check the sender’s email address by hovering your cursor above the sender
Check any embedded links by hovering your cursor above the link
Do not open suspicious attachments and links and do not perform requested
Do not respond to suspicious emails
If in doubt report suspicious email to your Help
Be suspicious of unsolicited calls seeking internal corporate or personal
Do not provide sensitive information over the phone
Verify who is calling: Name, organisational unit or name of an external
Do not completely trust Caller ID both with calls and text messages
If unsure, ask the caller to send their request through email and offer to call
back. This gives you time to look for the red flags in the email. Lookup the
contact information yourself and call the employee or an external company
If in doubt report it as a security incident to your Helpdesk
3. USB stick:
If you find a USB stick treat it with utmost suspicion
Do not connect it to your computer and do not run its content
Report such case as a security incident to your local Service Desk
4. Dumpster Diving:
Shred all papers by default when disposing of them and consider only
exceptions that don’t have to be shredded
Shred CDs, DVDs and plastic cards (e.g., IDs, ATM cards, access cards) before
disposing of them
Securely destroy electronic data on hard drives, memory sticks or USB flash
drives when discarding them
The most common Social Engineering Attacks- Infosec