Social Engineering is a non-technical method of breaking into a system or network. It is the process of deceiving users of a system and
convincing them to perform acts useful to the hacker, such as giving out information that can be used to defeat or bypass security
Social Engineering is important to understand because Hackers can use it to attack the human element of a system and circumvent technical
security measures. This method can be used to gather information before or during an attack. A social engineer commonly uses the
telephone or Internet to trick people into revealing sensitive information or to get them to do something that is against the security policies of
the organization. By this method, social engineers exploit the natural tendency of a person to trust their word, rather than exploiting computer
security holes. It’s generally agreed that users are the weak link in security; this principle is what makes social engineering possible.
Types of Social Engineering Attacks
Social engineering can be broken into two common types:
Human-based social engineering refers to person-to-person interaction to retrieve the desired information. An example is calling the help
desk and trying to find out a password.
Computer-based social engineering refers to having computer software that attempts to retrieve the desired information. An example is
sending a user an email and asking them to reenter a password in a web page to confirm it. This social-engineering attack is also known as
Human-Based Social Engineering
Human-based social engineering techniques can be divided into following types
1. Impersonating an Employee or Valid User
In this type of attack, the hacker pretends to be an employee or valid user on the system. A hacker can gain physical access by pretending to
be a employee, or security in charge to gain physical access of computer system.
2. Posing as an Important User
In this type of attack, the hacker pretends to be an important user such as an executive or high-level manager who needs immediate
assistance to gain access to a computer system or files. The hacker uses intimidation so that a lower-level employee such as a help desk
worker will assist them in gaining access to the system. Most low-level employees won’t question someone who appears to be in a position
3. Using a Third Person
Using the third-person approach, a hacker pretends to have permission from an authorized source to use a system.
4. Calling Technical Support
Calling tech support for assistance is a classic social-engineering technique. Help desk and technical support personnel are trained to help
users, which makes them good prey for social-engineering attacks.
5. Shoulder Surfing
Shoulder surfing is a technique of gathering passwords by watching over a person’s shoulder while they log in to the system. A hacker can
watch a valid user log in and then use that password to gain access to the system.
6. Dumpster Diving
In this type of social engineering hacker can often find passwords, file names,or other pieces of confidential information by searching in the
trash, for information written on pieces of paper or printouts.
Computer-Based Social Engineering
Computer-based social-engineering attacks can include the following types
1. Email attachments
2. Fake websites
3. Pop-up windows
If a hacker can’t find any other way to hack an organization, the next best option is to infiltrate the organization by getting hired as an
employee or finding a disgruntled employee to assist in the attack. Insider attacks can be powerful because employees have physical access
and are able to move freely about the organization.
A hacker can pose as an employee or steal the employee’s identity to for an attack. Information gathered in dumpster diving or shoulder
surfing in combination with creating fake ID badges can gain the hacker entry into an organization. Creating a persona that can enter the
building unchallenged is the goal of identity theft.
Phishing involves sending an email, usually posing as a bank, credit card company, or other financial organization. The email requests that
the recipient confirm banking information or reset passwords or PINs. The user clicks the link in the email and is redirected to a fake website.
The hacker is then able to capture this information and use it for financial gain or to perpetrate other attacks. for e.g.- Emails that claim the
senders have a great amount of money but need your help getting it out of the country are examples of phishing attacks.
Some websites that make free offers or other special deals can lure a victim to enter a username and password that may be the same as
those they use to access their work system. The hacker can use this valid username and password once the user enters the information in the
Mail attachments can be used to send malicious code to a victim’s system, which could automatically execute something like a software
keyloggers to capture passwords.