2.

2 Social Engineering
Social engineering : a form of attack that relies on deception and
manipulation to gain access to sensitive information or systems.

Attackers use various techniques to trick individuals into revealing

confidential data, granting unauthorized access, or performing actions
that benefit the attacker.
Types of Social Engineering

Impersonation
1
assuming the identity of a trusted individual or entity, such as a
co worker, supervisor, or a representative from a reputable
organization. Attackers use email, phone calls, or text
messages to impersonate these individuals and gain access to
sensitive information or systems.

example : ???

Eavesdropping
2
Listening on conversations or observing interactions to gain
unauthorized access to sensitive information.

Attackers may use sophisticated listening devices or simply

overhear conversations in public places.

Example : ???

Shoulder Surfing
3
The act of looking over someone's shoulder to observe their
actions, such as typing passwords or entering confidential
information.

Attackers may exploit this technique in crowded public areas or

work environments.

Example : ???

Dumpster Diving
4
Searching through trash or discarded materials to find
sensitive information, such as passwords, financial statements,
or other documents.

Target businesses, individuals, or institutions to access valuable

data.

Example : ??
Continued:

Reverse Social Engineering Piggybacking Tailgating

Attacker targets a victim by Follow someone into a secured Similar to piggybacking but
making them think they are the area without authorization. instead of following someone,
ones who are being targeted. the attacker waits for someone
Attackers might tail someone
with legitimate access to open a
The attacker might pretend to with legitimate access, hoping to
door and then quickly enters
be in trouble or needing help, gain entry without needing to
before it closes.
creating a sense of empathy in authenticate themselves.
the victim and making them Attackers can take advantage of
Often relies on physical
more likely to assist. situations where people are in a
proximity and social cues, such
hurry or distracted.
It can then lead the victim into as looking confident or
revealing information or taking appearing like they belong. Example : ??
actions that benefit the
Example:??
attacker.

Example : ????

Diversion Theft

Creating a distraction to steal from someone. T

he attacker might start a conversation or cause a commotion to draw attention away from the victim, allowing
them to access their belongings or sensitive information unnoticed.

Example : ???
Next :

Honey Trap Baiting Quid Pro Quo

Social engineering tactic that Offer something desirable, such as "something for something,"
involves using charm, seduction, or a free gift, discount, or access to involves offering a service or favor
emotional manipulation to gain exclusive content, in exchange for in exchange for access to
access to information or systems. personal information or access to a information or systems. Attackers
Attackers may create fake online system. Attackers may use may offer to fix a technical issue
profiles or use real identities to malicious websites, emails, or social or provide assistance in exchange
lure victims into compromising media posts to lure victims. for login credentials or access to
situations. sensitive data.
Example:
Example :?? Example
Elicitation

Gathering Information Building Relationships Targeted Questions Emotional Manipulation

art of extracting Attackers often build Attackers carefully craft Attackers may use
information from a victim relationships with their questions to subtly guide emotional manipulation to
through conversation and targets to gain their trust the conversation and influence a victim's
manipulation. Attackers and make them more extract information. These decision-making. This
use subtle questioning willing to share questions may be disguised could involve playing on
techniques, flattery, and information. This could as innocent inquiries but their fear, greed, or
other social skills to gain involve casual contain subtle hints or sympathy to make them
trust and elicit sensitive conversations, social leads that help the more likely to reveal
information without media interactions, or attacker gather valuable sensitive information or
raising suspicion. even seemingly harmless intel. perform actions that
friendships. benefit the attacker.
Computer-Based Social Engineering

Types of Phishing
1
Using deceptive emails, websites, or text messages to
trick victims into revealing sensitive information,
such as login credentials, financial details, or
personal data.

Spear Phishing
2
Spear phishing is a targeted form of phishing that
focuses on specific individuals or organizations.
Attackers conduct research to gather information
about their targets and create highly personalized
phishing attacks that are more likely to be
successful.

Whaling
3
a high-profile form of phishing that targets high-
level executives or influential figures.

Attackers use sophisticated techniques to

impersonate trusted individuals or organizations,
aiming to gain access to sensitive data or systems
with high financial value.

Clone phishing
4
An attacker creates a near-identical copy of a
legitimate email to trick the recipient into
responding.
Phishing Tools
Phishing kits

pre-built packages that contain templates, code, and other resources to create phishing websites quickly.

key loggers :

programs that record every keystroke made on a victim's computer, allowing attackers to steal sensitive information
like passwords and credit card details.

Spoofing tools

used to create fake websites or emails that mimic legitimate ones, making it difficult for victims to detect the deception.
The Anatomy of a Phishing Email

Subject Line Header and Logo Body Text

Attackers often use subject lines Attackers may imitate the header The body text of a phishing email is
that are enticing, relevant, or create and logo of legitimate companies or designed to convince the victim to
a sense of urgency to entice victims organizations to create a sense of take a specific action, such as
into opening the email. For example, authenticity. However, there might be clicking a link, providing personal
"Urgent: Account Verification subtle discrepancies or anomalies information, or downloading an
Required" or "Special Offer: that can help identify the email as a attachment. Attackers use various
Exclusive Discount." fake. Carefully examine the sender's tactics to achieve this goal, including
name, email address, and any links creating a sense of urgency, fear, or
included in the email. excitement.
Mobile-Based Social Engineering

SMS Phishing

Attackers use text messages to deliver phishing links,

1 enticing victims to click and reveal sensitive
information. These messages may impersonate banks,
retailers, or other services to appear legitimate.

Fake Apps

Attackers create fake mobile applications that mimic

2 legitimate apps but contain malicious code. These apps
can steal login credentials, financial information, or
other sensitive data from victims' devices.

Bluetooth Exploitation

Attackers can exploit Bluetooth vulnerabilities to gain

3 access to victims' devices. This can involve
intercepting data transmissions, installing malicious
software, or even controlling the device remotely.

Social Media Scams

Attackers use social media platforms to spread scams

and trick victims into revealing personal information
4
or financial details. These scams can involve fake
giveaways, phishing links, or malware disguised as
legitimate content.
Protecting Against Social Engineering Attacks
Be Skeptical Always question requests for sensitive information,
even if they come from trusted sources. Verify the
source of any communication, especially if it involves
requests for login credentials or personal data.

Verify Information If you receive a suspicious email, text message, or

phone call, do not click on any links or attachments.
Instead, contact the sender directly through known,
verified channels to verify the authenticity of the
communication.

Use Strong Passwords Create strong passwords for all your online accounts
and avoid using the same password for multiple
accounts. Consider using a password manager to store
and manage your passwords securely.

Be Aware of Your Surroundings Be mindful of your surroundings and take precautions

to protect your personal information, especially in
public places. Avoid typing passwords or entering
sensitive data when someone is nearby, and consider
using a privacy screen on your laptop.

Keep Software Updated Ensure that your software is updated regularly to

patch security vulnerabilities that attackers may
exploit. This includes operating systems, web
browsers, and antivirus software.