social engineering?

A social engineering attack requires some research before launching their deceptive schemes. This
reconnaissance phase involves gathering information about potential targets, their roles, habits, and
vulnerabilities, allowing attackers to craft convincing scenarios and manipulate human flaws more effectively.

Social Engineering tactics:

1) Impersonation: Attacker will often pose as a trusted individual, such as a customer service representative, in

2) Authority: They will often use their position of authority to convince victims to comply with their requests.

3) Intimidation: Attacker sometimes

to get them to comply with their demands.

4) Flattery: Cybercriminals will often try to flatter their victims to gain their trust.

5) Scarcity: They will often create a sense of urgency by claiming a limited product or service supply.

6) Social validation: Cybercriminals suggest that others have already completed the task successfully so that the
target feels more comfortable in undertaking it themselves.
social engineering Life Cycle
A social engineering attack requires preparation, and cyber criminals often need to conduct some research
before launching their deceptive schemes. This reconnaissance phase involves gathering information about
potential targets, their roles, habits, and vulnerabilities, allowing attackers to craft convincing scenarios and
manipulate human flaws more effectively.

Identify the target(s): Attackers carefully select their targets based on their roles within an organization or the
potential value of the information they possess (e.g. access to internal servers or databases).

Gather information: Cyber criminals collect relevant information about their targets (e.g. email addresses,
office location) from publicly available sources like social media profiles (e.g. LinkedIn, Facebook), company
websites, and online directories.

Craft a convincing scenario: Attackers construct a believable pretext or scenario tailored to rank-and-file team
members or leaders. This could involve impersonating a trusted colleague, superior, client or investor.

Launch attack: Attackers will initiate contact with the target(s) using various communication channels most
commonly email. It can also include unsolicited phone calls or social media messages.
 Social engineering attack
Social engineering attacks can take many different forms and can be carried out anyplace there is human
interaction. The five most popular types of Social engineering attacks are as follows.
Baiting
o As its name implies, baiting attacks use a false promise to target greed or curiosity. They put
users into a trap that steals their personal information or inflicts their systems with malware.

o Generally baiting uses physical media to disperse malware. For example, attackers leave the bait
typically malware-infected drives in conspicuous areas of the company where potential victims are
certain to see them (e.g., elevators, the parking lot of a targeted company).

o The bait has an authentic look to it, such as a label presenting it as the payroll list.
o Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in
automatic malware installation on the system.
o Baiting scams necessarily have to be carried out in the physical world. Online forms of baiting
consist of enticing ads that lead to malicious sites or that encourage users to download a malware-
infected application.
 Social engineering attack
Scareware
o Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived
to think their system is infected with malware, prompting them to install software that has no real
benefit or is malware itself. Scareware is also referred to as deception software, rogue scanner software.

o A common scareware example is the legitimate-looking popup banners appearing in your browser while
surfing the web, displaying such text such as, Your computer may be infected with harmful spyware
programs. It either offers to install the tool (often malware-infected) for you, or will direct you to a
malicious site where your computer becomes infected.

o Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to
buy worthless/harmful services.
 Social engineering attack
Pretexting

o attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a
attacker pretending to need sensitive information from a victim so as to perform a critical task.

o The attacker usually starts by establishing trust with their victim by impersonating co-workers, police,
bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions
that are ostensibly required to confirm the identity, through which they gather important
personal data.

o All sorts of relevant information and records is gathered using this scam, such as social security numbers,
personal addresses and phone numbers, phone records, staff vacation dates, bank records and even
security information related to a physical plant.
 Social engineering attack
Quid Pro Quo
o Here, the attacker offers the victim something in exchange for personal information or
access to a system. For example, an attacker may pose as an IT support representative and
offer to a computer in exchange for their remote access to the system. Once
the attacker has access to the system, they can then install malware or steal sensitive
information.

Watering Hole
o Attacker compromises a website that the victim frequents. The attacker can then infect the
computer with malware or steal sensitive information when visiting the website.
 Social engineering attack
Dumpster Diving
o Dumpster diving is a type of social engineering
attack where the attacker rummages through
trash bins or dumpsters to find sensitive
information that has been discarded. This
information can be used to access systems or
commit other crimes.

Honey trap
o In this attack, the social engineer pretends to
be an attractive person to interact with a
person online, fake an online relationship and
gather sensitive information through that
relationship.
 Social engineering attack
Shoulder Surfing
o Security attack where the attacker observes a victim entering their password or PIN into a
computer or ATM. The attacker can then use this information to access the
accounts or commit other crimes.

Tailgating
o Tailgating is a type of social engineering attack where the attacker follows a victim into a
secure area, such as an office building or parking. The attacker can then gain access to the
accounts or commit other crimes.

Reverse Social Engineering

Attacker doesn't contact victim, even victim contacts attacker. High degree trust will be
establish here..
 Social engineering attack
Phishing
o one of the most popular social engineering attack types, phishing scams are email and text message
campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into
revealing sensitive information, clicking on links to malicious websites, or opening attachments that
contain malware.
o An example is an email sent to users of an online service that alerts them of a policy violation requiring
immediate action on their part, such as a required password change. It includes a link to an illegitimate
website nearly identical in appearance to its legitimate version prompting the unsuspecting user to
enter their current credentials and new password. Upon form submittal the information is sent to the
attacker.
*Social engineering exploits human vulnerabilities*
Lack of Security Knowledge
Oversharing on social Media
Over curiosity