What is Social Engineering?

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Unlike traditional hacking that targets technical vulnerabilities, social engineering targets human psychology and behavior.

🧠 Human Factor

Over 90% of successful cyber attacks begin with social engineering. Humans remain the weakest link in cybersecurity defenses.

Psychological Principles

Authority

People tend to obey authority figures, even when asked to perform questionable actions

Urgency

Creating a sense of urgency bypasses critical thinking and rational decision-making

Reciprocity

People feel obliged to return favors, even small ones

Social Proof

People follow the actions of others, especially in uncertain situations

Likability

People are more likely to comply with requests from people they like

Scarcity

Perceived scarcity increases desire and prompts quick action

Common Social Engineering Techniques

Phishing

Deceptive emails designed to trick recipients into revealing sensitive information or installing malware.

Pretexting

Creating a fabricated scenario or pretext to engage a target and extract information.

Baiting

Offering something enticing to lure victims into a trap, like infected USB drives labeled "Confidential."

Quid Pro Quo

Offering a service or benefit in exchange for information or access.

Tailgating

Following authorized personnel into restricted areas without proper authentication.

Vishing

Voice phishing using phone calls to extract sensitive information.

Real-World Examples

CEO Fraud

Attackers impersonate executives to authorize fraudulent wire transfers

Tech Support Scams

Pretending to be from Microsoft or Apple support to gain remote access

Romance Scams

Building online relationships to eventually request money or information

Impersonation

Posing as IT staff, vendors, or delivery personnel to gain physical access

Prevention and Defense

Security Awareness Training

Training Focus Areas

  • Recognizing social engineering tactics
  • Verification procedures for unusual requests
  • Password and information security best practices
  • Reporting suspicious activities
  • Physical security awareness

Technical Controls

Multi-Factor Authentication

Protects accounts even if credentials are compromised

Email Filtering

Blocks phishing emails and malicious attachments

Access Controls

Principle of least privilege for data and system access

Policies and Procedures

Organizational Measures

  • Clear verification procedures for sensitive requests
  • Incident reporting protocols
  • Physical access controls
  • Regular security assessments
  • Vendor security requirements

Incident Response

Immediate Actions

Report incident, preserve evidence, assess damage

Containment

Revoke compromised access, reset credentials, monitor for suspicious activity

Recovery

Restore affected systems, implement additional controls

Lessons Learned

Update training and policies based on incident analysis