Diff: Social engineering
Comparing revision #1 (2023-08-14 14:47:52) with revision #2 (2026-06-22 13:11:07).
| Old | New |
|---|---|
Social engineering refers to the manipulation of individuals or groups to deceive, influence, or exploit them for unauthorized access to sensitive information, financial gain, or other malicious purposes. It is a psychological technique often used by cybercriminals, hackers, and fraudsters to exploit human behaviour and gain access to confidential data, systems, or resources. |
|
'''Social engineering''' is manipulation used to make a person reveal information, perform an action, grant access, send money, install software or trust an attacker. In cyber security, it is often used with phishing, impersonation, credential theft and fraud. |
|
== Techniques of Social Engineering == |
|
Social engineering techniques leverage psychological manipulation and human interactions to achieve their goals. Some common techniques include: |
|
The technique works because people are part of every security system. Attackers exploit trust, pressure, routine, fear, curiosity, authority or helpfulness rather than relying only on technical vulnerabilities. |
|
== Common Techniques == |
|
=== Phishing === |
=== Phishing === |
Phishing involves sending deceptive emails, messages, or websites that appear legitimate to trick individuals into revealing sensitive information such as passwords, credit card details, or personal data. |
|
Phishing uses deceptive emails, text messages, websites or calls to trick a target into clicking a link, opening an attachment, entering credentials or approving a payment. |
|
=== Pretexting === |
=== Pretexting === |
Pretexting involves creating a fabricated scenario or pretext to manipulate individuals into divulging information or performing actions they wouldn't otherwise do. |
|
=== Baiting === |
|
Baiting involves enticing individuals with something appealing, such as a free download or an offer, to make them take a certain action that exposes them to risk. |
|
Pretexting uses a false story. An attacker might pretend to be from IT support, a delivery company, a bank, a supplier, a recruiter, a manager or a public authority. |
|
=== Impersonation === |
=== Impersonation === |
Impersonation involves pretending to be someone else, such as a trusted colleague, to gain access to confidential information or resources. |
|
Impersonation involves pretending to be a trusted person or organisation. It can happen by email, phone, social media, messaging apps or in person. |
|
=== Baiting === |
|
Baiting offers something tempting, such as a free download, leaked file, fake invoice, voucher, game cheat or abandoned USB drive. |
|
=== Tailgating === |
=== Tailgating === |
Tailgating, also known as piggybacking, involves physically following someone into a secure area or facility without authorization. |
|
Tailgating, also called piggybacking, is physical access by following an authorised person into a controlled area. |
|
=== Quizzes and Surveys === |
|
Cybercriminals may use quizzes or surveys as a pretext to collect personal information that can later be used for malicious purposes. |
|
=== Business Email Compromise === |
|
Business email compromise targets payment processes. Attackers may impersonate executives, suppliers or solicitors to redirect invoices or push urgent transfers. |
|
== Impact and Consequences == |
|
Social engineering attacks can have serious consequences, including: |
|
== Why It Works == |
|
Social engineering often succeeds because the request feels normal at the time. Attackers may use: |
|
* Data Breaches: Attackers can gain unauthorized access to sensitive data, including personal, financial, and corporate information. |
|
* Financial Loss: Victims may suffer financial loss through unauthorized transactions, fraud, or identity theft. |
|
* Unauthorized Access: Cybercriminals can gain access to computer systems, networks, and accounts. |
|
* Reputation Damage: Organizations and individuals may suffer reputational damage due to data breaches or other malicious activities. |
|
* Urgency, such as a deadline or threat of account closure. |
|
* Authority, such as a manager or official body. |
|
* Familiar branding or copied email signatures. |
|
* Public information from social media and company websites. |
|
* A small first request that builds trust before a larger one. |
|
* Pressure to keep the request secret. |
|
== Prevention and Mitigation == |
|
To protect against social engineering attacks, individuals and organizations can take various measures: |
|
== Prevention == |
|
Useful defences include: |
|
* Education and Awareness: Regular training and awareness programs can help individuals recognize and resist social engineering techniques. |
|
* Verification: Always verify the identity of individuals requesting sensitive information or access. |
|
* Strong Authentication: Use strong, unique passwords and enable multi-factor authentication for accounts and systems. |
|
* Secure Communication: Verify email senders, avoid clicking on suspicious links, and verify website URLs before entering sensitive information. |
|
* Privacy Settings: Set appropriate privacy settings on social media platforms and limit the information shared online. |
|
* Multi-factor authentication, preferably phishing-resistant where possible. |
|
* Clear payment verification processes. |
|
* Staff training that encourages reporting rather than blame. |
|
* Call-back procedures using trusted contact details. |
|
* Limits on public information that helps attackers build convincing stories. |
|
* Email filtering, domain protection and suspicious-link reporting. |
|
* Separation of duties for high-risk actions. |
|
Training works best when it reflects real workflows. People are more likely to report mistakes quickly if they believe the organisation wants early warning rather than punishment. |
|
== Practical Examples == |
|
=== Fake IT Support === |
|
An attacker phones an employee and claims to be from IT. They ask the employee to approve a login prompt or install a remote support tool. The technical attack depends on the social trick. |
|
=== Supplier Bank Change === |
|
A finance team receives an email claiming that a supplier has changed bank details. A safe process would verify the change through a known phone number or contact route, not through the details supplied in the email. |
|
=== Door Access === |
|
An attacker carrying boxes waits near a secure door and asks an employee to hold it open. The request feels polite, but it bypasses the access control system. |
|
== See Also == |
|
* [[Malware]] |
|
* [[Phishing]] |
|
* [[Scammer.info]] |
|
* [[Cybersecurity]] |
|
== References == |
|
* [https://www.npsa.gov.uk/resources/protective-security-guidance-social-engineering NPSA: Protective security guidance on social engineering] |
|
* [https://www.ncsc.gov.uk/guidance/phishing NCSC: Phishing attacks, defending your organisation] |
|
* [https://ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/learning-from-the-mistakes-of-others-a-retrospective-review/phishing/ ICO: Phishing] |
|
* [https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf CISA: Phishing guidance] |
|
[[Category:Cybersecurity]] |
|
[[Category:Fraud]] |