What is Social Engineering?

What is Social Engineering? N1Mkpao

Social engineering is the art of manipulating people so they give up confidential information. The kinds of data these criminals are looking for can shift, but when individuals are targeted the criminals are generally attempting to deceive you into giving them your passwords or bank information, or access your PC to covertly introduce malevolent software– that will give them access to your passwords and bank information and in addition giving them control over your PC.

Criminals use social engineering tactics because it is much easier to fool someone into giving their password than it is for criminals to try hacking their password (unless the password is really weak).



Common Social Engineering Attacks

In the event that a criminal figures out how to hack or socially engineer one individual's email  they have access to that person’s contact list– and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well.

Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.

Watch out for messages that may use your trust and curiosity:

  • Contain a link that you simply need to check out– and in light of the fact that the link  originates from a companion and you're interested, you’ll trust the link and click–and be infected with malware so the criminal can take over your machine and collect your contacts info and deceive them just like you were deceived.

  • Contain a download–pictures, music, movie, document, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone you know. And on, and on.



Watch out for messages that may create a compelling story or pretext:

  • Urgently ask for your help–your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.

  • Asks you to donate to their charitable fundraiser, or some other cause – with instructions on how to send the money to the criminal.

  • Phishing attempts. Typically, a phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.

  • The message may notify you that you’re a ’winner’. Maybe the email claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. With a specific end goal to give you your 'rewards' you need to give information about your bank routing so they know how to send it to you, or give your address and telephone number so they can send the prize, and you may likewise be requested to demonstrate your identity frequently including your Social Security Number. These are the 'greed phishes' the place regardless of whether the story guise is thin, individuals need what is offered and get bulldozed by it by giving without end their data, at that point having their financial balance purged, and identity stolen.

  • The message may ask for help.  Preying on kindness and generosity, these phishes ask for aid or support for whatever disaster, political campaign, or charity is hot at the moment.


A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).

Creating distrust. Some social engineering, is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a hero and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure.

These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie, or music. But the schemes are also found on social networking sites, malicious websites you find through search results, and so on.

The scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time).

People who take the bait may be infected with malicious software that can generate any number of new exploits against themselves and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.

Criminals may pretend to be responding to your ’request for help’ from a company while also offering more help. For example, even though you know you didn’t originally ask a question you probably a problem with your computer’s operating system and you seize on this opportunity to get it fixed. For free! The moment you respond you have bought the crook’s story, given them your trust and opened yourself up for exploitation.

"Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.

Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. Once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. With an access card or code in order to physically get inside a facility, the criminal can access data, steal assets or even harm people.

Today social engineers and attackers have tools, and they can go to sites like LinkedIn and find all of the users that work at a company and gather plenty of detailed information that can be used to further an attack. “

Awareness is the number one defensive measure. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics. Social engineering tricks are always evolving and awareness training has to be kept fresh and up to date.

But it isn't just the average employee who needs to be aware of social engineering. Senior leadership and executives are primary enterprise targets.

There are literally thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users through this kind of exploit is the criminal’s imagination.


Did you find this tutorial helpful? Don’t forget to share your views with us.
A GeekPolice Security Tutorial