Table of Contents
What is Social Engineering?
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It exploits human nature rather than technical vulnerabilities.
Key Statistic
91% of cyberattacks start with a phishing email. Humans are the weakest link in security.
Types of Social Engineering Attacks
Phishing
Fraudulent emails, texts, or websites that impersonate trusted entities to steal credentials or install malware.
- Spear Phishing: Targeted at specific individuals
- Whaling: Targeting executives (CEO fraud)
- Smishing: Via SMS text messages
Vishing (Voice Phishing)
Phone calls impersonating tech support, banks, or government agencies to extract information or payments.
Pretexting
Creating a fabricated scenario (pretext) to engage the victim. Example: "I'm from IT, we need your password to complete an urgent security update."
Baiting
Leaving infected USB drives in parking lots or offering free downloads that contain malware.
Tailgating / Piggybacking
Following an authorized person through a secured door without proper credentials.
Real-World Examples
Twitter Bitcoin Scam (2020)
Attackers called Twitter employees pretending to be IT support. Gained access to internal tools. Compromised accounts of Elon Musk, Obama, Apple. Stole $120,000 in Bitcoin.
RSA SecurID Breach (2011)
Phishing email with "2011 Recruitment Plan.xls" attachment. Zero-day Flash exploit. Led to compromise of RSA's SecurID authentication, affecting defense contractors.
How to Detect Social Engineering
Red Flags in Emails
- Urgency or fear tactics ("Your account will be closed!")
- Suspicious sender address (misspelled domain)
- Generic greeting ("Dear Customer")
- Grammar and spelling errors
- Requests for sensitive information
- Suspicious links (hover to check URL)
Red Flags in Phone Calls
- Caller ID can be spoofed
- Pressure to act immediately
- Requests for passwords or payments
- Unable to answer security questions
Prevention Strategies
For Organizations
- Regular security awareness training
- Phishing simulations (monthly)
- Clear reporting procedures
- Email filtering and DMARC
- Multi-factor authentication
- Verification procedures for sensitive requests
For Individuals
- Verify requests through a separate channel
- Never share passwords (IT will never ask)
- When in doubt, hang up and call back official number
- Check URLs before clicking
- Report suspicious activity immediately
The Human Firewall
Technology alone cannot stop social engineering. Train your employees to be the human firewall—your last line of defense.
Updated: December 2024