- Published on
The Art of Manipulation: Understanding Social Engineering Techniques and Tactics
- Authors
- Name
- Gary Huynh
- @huynhthienthach
What is Social Engineering?
Social engineering
is a type of cyber attack that exploits human psychology
to manipulate individuals or organizations into divulging sensitive information, performing actions that are harmful to themselves or the organization, or gaining unauthorized access
to systems or networks. Social engineering
attacks are often more successful than technical attacks, as they exploit human weaknesses rather than technical vulnerabilities.
There is evidence to support the claim that social engineering
attacks are often more successful than technical attacks because they exploit human weaknesses. For example, a report by Verizon found that "social engineering attacks continue to be the most common technique employed by cybercriminals, as it exploits the weakest link in the security chain, which is the human" (Verizon, 2020). Additionally, a study by KnowBe4 found that "social engineering continues to be the most effective way to gain unauthorized access to sensitive information" (KnowBe4, 2021). These findings suggest that social engineering attacks are indeed more successful than technical attacks, as they exploit human weaknesses rather than technical vulnerabilities.
This essay explores the concept of social engineering
and examines different types of social engineering attacks, including phishing
, pretexting
, baiting
, dumpster diving
, and shoulder surfing
.
What is Phishing? (not fishing!!!!)
Phishing
is a type of social engineering
attack that involves sending fraudulent emails or messages that appear to be from a legitimate source. The goal of these attacks is to trick people into revealing sensitive information
, such as usernames
, passwords
, or credit card numbers
. Phishing is often done by impersonating a trustworthy source, such as a bank or a social media platform. Phishing attacks can be targeted at individuals or organizations and can be done using a variety of techniques, such as spear phishing
, whaling
, and voice phishing
(James, 2005).
Real life examples of phishing
In 2016, scammers conducted a phishing attack against Snapchat
, the popular social media platform. The attackers sent emails to employees of Snapchat
, posing as the company's CEO and requesting employee payroll information. The emails were designed to look like they came from Snapchat's HR department, with a spoofed email address and logo. Unfortunately, some employees fell for the scam and provided the requested information. As a result, the scammers were able to obtain sensitive employee data, including Social Security numbers
and other personal information. The incident highlighted the importance of education and awareness regarding phishing attacks, as well as the need for effective security measures to prevent such attacks from succeeding. (CNN, 2016)
What is Pretexting?
Pretexting
is another type of social engineering attack that involves creating a false pretext in order to gain access to sensitive information or resources. This type of attack often involves impersonating someone in a position of authority
, such as a police officer or a bank representative. Pretexting attacks can be done through email, phone calls, or in-person interactions (Long, 2011).
Real life examples of pretexting
In 2017, hackers impersonated representatives from the Securities and Exchange Commission (SEC) and used this pretext to trick company officials into providing sensitive information about their businesses. The attackers created a fake email address
that resembled an official SEC address and sent emails to several companies, requesting information about their businesses. The emails included a link to a fake website that looked like the SEC's official website. The attackers were able to convince some company officials to provide sensitive information, such as financial data and details about upcoming business deals. The incident highlighted the danger of pretexting attacks and the need for individuals and organizations to be vigilant in verifying the identity of those requesting sensitive information. (Trend Micro, 2018)
What is Baiting?
Baiting
is a type of social engineering attack that involves leaving a tempting item in a public place in order to entice someone into picking it up and using it
. The item may be a USB drive
or a CD
containing malicious software that can compromise a computer system or network (Long, 2011).
Real life examples of baiting
In 2006, a group of attackers carried out a baiting
attack against a U.S. government agency. The attackers left CDs infected with malware in the parking lot of the agency's building, with labels that appeared to be related to the agency's work. Some employees who found the CDs in the parking lot picked them up and inserted them into their computers, unknowingly installing the malware. The attackers were then able to use the malware to gain access to the agency's network and steal sensitive information. This incident highlighted the danger of baiting attacks and the need for individuals and organizations to be cautious when encountering unknown or suspicious devices (CSO, 2017).
What is Dumpster Diving?
Dumpster diving
is a type of social engineering attack that involves going through someone's trash in order to find sensitive information. Attackers may look for discarded documents, such as bank statements or credit card receipts, that contain personal or financial information (Long, 2011).
Real life examples of dumpster diving
In 2017, a healthcare provider
in the United States was fined $100,000 for a data breach that occurred as a result of a dumpster diving
attack. The attackers searched through the provider's trash bins
and found several documents containing sensitive patient information
, including social security numbers
and medical records
. The attackers used this information to conduct identity theft and medical fraud
, resulting in significant financial losses
and potential harm to the affected patients. The incident highlighted the importance of properly disposing of sensitive information
and the need for healthcare providers to take extra precautions to protect patient data. (JD Supra, 2019)
What is Shoulder Surfing?
Shoulder surfing
is a type of social engineering attack that involves looking over someone's shoulder to obtain sensitive information, such as a password or PIN number. Attackers may use this technique in public places, such as coffee shops or airports, where people are often using their laptops or mobile devices (Long, 2011).
What is Shoulder Surfing exactly, in real life?
Imagine you're in a crowded elevator and you take out your phone to check your bank account balance
. Someone standing very close behind you watches as you enter your login credentials
, and later uses that information to steal from your account. This is an example of shoulder surfing
, where someone watches over your shoulder to obtain sensitive information. It's important to be aware of your surroundings and take precautions when entering sensitive information
in public places to prevent shoulder surfing
attacks.
Conclusion
It's important to be aware of the security risks associated with social engineering
attacks. Social engineering
is a tactic used by hackers to manipulate individuals into divulging sensitive information or performing actions that compromise security. This essay has presented several real-life scenarios that illustrate the various forms of social engineering, such as phishing, pretexting, and baiting. To prevent social engineering attacks
, it's essential to educate individuals on how to recognize and respond
to these attacks, implement strong security measures
, and enforce security policies
. By taking these precautions, we can reduce the risk of security breaches and protect ourselves and our customers from potential losses or theft.
References
James, L. (2005). Phishing exposed. Syngress.
Long, J. (2011). No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Syngress.
CNN. (2016). Snapchat employee fell for phishing scam. Retrieved from https://money.cnn.com/2016/02/29/technology/snapchat-phishing-scam/index.html
CSO. (2017). Top 10 most creative cyberattacks. Retrieved from https://www.csoonline.com/article/3153707/top-10-most-creative-cyberattacks.html
KnowBe4. (2021). The 2021 KnowBe4 report shows enterprises struggle with phishing, social engineering. Retrieved from https://www.knowbe4.com/hubfs/2021-State-of-Privacy-Security-Awareness-Report-Research_EN-US.pdf?hsLang=en-us
Verizon. (2020). 2020 data breach investigations report. Retrieved from https://enterprise.verizon.com/resources/reports/dbir/2020/
Trend Micro. (2018). Billion-Dollar Scams: The Numbers Behind Business Email Compromise. Retrieved from https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/billion-dollar-scams-the-numbers-behind-business-email-compromise
JD Supra. (2019). Dumpster Diving Leads to $100,000 Fine for Healthcare Provider. Retrieved from https://www.jdsupra.com/legalnews/dumpster-diving-leads-to-100-000-fine-63708/