Social Engineering

CarnegieMellonUniversity website: https://www.cmu.edu/iso/aware/dont-take-the-bait/social-

engineering.html#:~:text=Social%20engineering%20is%20the%20tactic,or%20giving%20away%20sensitive%20information.

Social Engineering
What is Social Engineering ?
Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain
control over a computer system, or to steal personal and financial information. It uses psychological

manipulation to trick users into making security mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended
victim to gather necessary background information, such as potential points of entry and weak security
protocols, needed to proceed with the attack. Then, the attacker uses a form of pretexting such as

impersonation to gain the victim’s trust and provide stimuli for subsequent actions that break security
practices, such as revealing sensitive information or granting access to critical resources.

Types of Social Engineering Attacks

Social engineering attacks come in many different forms and can be performed anywhere where human

interaction is involved. The following are common forms of digital social engineering attacks.
Phishing: The process of attempting to acquire sensitive information such as usernames, passwords,

and credit card details by masquerading as a trustworthy entity using bulk email, SMS text messaging,
or by phone. Phishing messages create a sense of urgency, curiosity, or fear in the recipients of the

message. The message will prod victims into revealing sensitive information, clicking on links to
malicious websites, or opening attachments that contain malware

Baiting: A type of social engineering attack where a scammer uses a false promise to lure a victim into
a trap which may steal personal and financial information or inflict the system with malware. The trap

could be in the form of a malicious attachment with an enticing name.

The most common form of baiting uses physical media to disperse malware. For example, attackers

leave the bait of a malware-infected flash drives in conspicuous areas where potential victims are certain
to see them. When the victim inserts the flash drive into a work or home computer, the malware is
automatically installed on the system. Baiting scams are also online in the form of tempting ads that

lead to malicious sites or encourage users to download a malware-infected application.

Tailgating: Also known as "piggybacking". A physical breach where an unauthorized person

manipulates their way into a restricted or employee only authorized area through the use of social

engineering tactics. The attacker might impersonate a delivery driver, or custodian worker. Once the
employee opens the door, the attacker asks the employee to hold the door, thereby gaining access to

the building.
Scareware: Scareware involves victims being bombarded with false alarms and fictitious threats. Users

are deceived to think their system is infected with malware, prompting them to install software that
grants remote access for the criminal or to pay the criminal in a form of bitcoin in order to preserve

sensitive video that the criminal claims to have.

Dumpster Diving: A scammer will search for sensitive information e.g., bank statements, pre-approved

credit cards, student loans, other account information, in the garbage when it hasn’t been properly
sanitized or destroyed.

Quid Pro Quo: Quid pro quo involves a criminal requesting the exchange of some type of sensitive
information such as critical data, login credentials, or monetary value in exchange for a service. For

example, a computer user might receive a phone call from the criminal who, posed as a technology
expert, offers free IT assistance or technology improvements in exchange for login credentials. If an

offer sounds too good to be true, it most likely a scam and not legitimate.

Social Engineering Prevention

o Don't open email attachments from suspicious sources. Even if you do know the sender and the
message seems suspicious, it's best to contact that person directly to confirm the authenticity of the message.
o Use Multi-Factor Authentication (MFA). One of the most valuable pieces of information attackers seeks
are user credentials. Using MFA helps to ensure your account's protection in the event of an account
compromise.
o Be wary of tempting offers. If an offer seems too good to be true, it's probably because it is. Use a search
engine to look up the topic which can help you quickly determine whether you're dealing with a legitimate
offer or a trap.
o Clean up your social media. Social engineers scour the Internet searching for any kind of information they
can find on a person. The more information you have posted about yourself, the more likely it is that a criminal
can send you a targeted spear phishing attack.
o Install and update antivirus and other software. Make sure automatic updates are turned on.
Periodically check to make sure that the updates have been applied and scan your system daily for possible
infections.
o Back up your data regularly. If you were to fall victim to a social engineering attack in which your entire
hard drive was corrupted, it is essential that you have a backup on an external hard drive or saved in the
cloud.
o Avoid plugging an unknown USB into your computer. When a USB drive is found unattended,
Avoid plugging an unknown USB into your computer.
You should also Disable Autorun on your machine. Autorun is a feature that allows Windows to
automatically run the startup program when a CD, DVD, or USB device is inserted into a drive.
o Destroy sensitive documents regularly. All sensitive documents such as bank statements, student loan
information, and other account information should be physically destroyed in a cross-shredder or placed in
one of the blue or gray locked receptacles which are incinerated.

ChatGPT

Social engineering in information security refers to the manipulation of individuals into divulging
confidential information or performing actions that compromise security. Unlike technical attacks that
exploit vulnerabilities in software or hardware, social engineering attacks exploit human psychology and
behavior.

Types of Social Engineering Attacks

1. Phishing: This is one of the most common forms. Attackers use fake emails, websites, or
messages that appear to be from legitimate sources to trick individuals into providing sensitive
information like passwords or financial details.
2. Spear Phishing: A more targeted form of phishing where the attacker customizes their message
to a specific individual or organization, often using personal information to make the scam more
convincing.
3. Pretexting: The attacker creates a fabricated scenario to obtain information. For example, they
might pose as a trusted authority figure or a company representative to gain access to sensitive
data.
4. Baiting: This involves offering something enticing (like a free software download) to lure victims
into providing information or installing malicious software.
5. Quizzes and Surveys: Attackers use seemingly innocent quizzes or surveys to collect personal
information that can be used for further attacks or identity theft.
 6. Tailgating: This is a physical security breach where an attacker follows someone into a secure
area by pretending to be an authorized individual.
7. Impersonation: The attacker pretends to be someone the target knows or respects (like a boss
or IT support staff) to gain access to confidential information.

How to Defend Against Social Engineering

1. Education and Training: Regular training for employees and individuals on recognizing and
responding to social engineering tactics is crucial. This can include awareness programs and
simulated phishing exercises.
2. Verify Requests: Always verify the identity of individuals requesting sensitive information or
access, especially if the request is unexpected or out of the ordinary.
3. Implement Policies: Develop and enforce security policies and procedures, including guidelines
for handling sensitive information and reporting suspicious activities.
4. Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it harder
for attackers to gain access even if they obtain a password.
5. Secure Physical Access: Implement physical security measures to prevent unauthorized access
to facilities and sensitive areas, such as using access cards and security personnel.
6. Regularly Update Software: Keep systems and software up-to-date to protect against known
vulnerabilities that attackers might exploit in conjunction with social engineering tactics.
7. Encourage a Culture of Security: Promote a security-conscious culture where employees feel
comfortable reporting suspicious activities without fear of reprisal.

By understanding and preparing for social engineering attacks, individuals and organizations can better
protect themselves from these manipulative and often deceptive threats.