Chapter 5: Social Engineering

What is Social Engineering?

• It's an attack method that relies on the human mind, not just technology. • The
hacker won't exploit vulnerabilities or attack firewalls; they might simply trick an
employee into revealing their password or opening a door for them. • It means
psychological manipulation to gain access to information, a device, or a location.

Examples of Social Engineering Methods:

1. Phishing: A fake email (like from Google or a bank) asks you to enter your data.

2. Vishing: The same idea, but over the phone (a call).

3. Smishing: A fake SMS message.

4. Pretexting: Someone calls you, claiming to be from "IT support," and convinces
you to give them your password.

5. Baiting: A flash drive labeled "Company Salaries" is left for you to find... and
when you run it on your device, it's an infection!

6. Tailgating/Piggybacking: An exploiter enters behind you through a door you

open (without an access card).

7. Shoulder Surfing: Someone looks over your shoulder while you type your
password.

8. Dumpster Diving: Searching through trash to find documents containing

sensitive information.

What makes people fall into the trap?

The hacker relies on a few psychological motivators:

• Familiarity: (e.g., "We are from the same company.") • Likability: (e.g., They
interact with you in a friendly way.) • Authority: (e.g., They say, "I am the manager.")
• Urgency: (e.g., "You must quickly update your password before the service stops.")
• Consensus: (e.g., "All your colleagues have received this link.")

Defending Against Social Engineering

• The most important thing: awareness and training. • Employees need to learn how
to distinguish fake calls and phishing messages. • We train them more and conduct
simulated phishing campaigns (like a test) to see who falls for it. • Clear policies like IT
support will never ask you for your password. • Educating people not to open USBs
from unknown sources.

The 6 Basic Psychological Motivators:

1. Authority

• People naturally listen to someone in a position of authority or power. • The

attacker might pretend to be a manager, an important client, or even a government
official (like IRS/FBI). • The victim often quickly complies without verifying. •
Example: An email says, "I am from the tax department; you must pay immediately, or
you will face legal problems."

2. Urgency

• The attacker creates a sense of time pressure to make the victim make a quick
decision without thinking. • The victim feels there is "no time" and bypasses security
procedures. • Example: A person inside the company, wearing a uniform, says, "Open
the door quickly; I am late for a meeting." You open it without checking their card. •
Or someone hands you a USB and says, "Plug it in quickly; I have a presentation in 5
minutes." You put it in your device without checking.

3. Social Proof

• People tend to follow what others around them are doing. • If they see a page or
site with many shares and likes, they might think it's trustworthy, even if it's fake. •
Example: A link to a scam website, but the victim's friends shared it on LinkedIn or
Facebook, so the victim trusts it and enters.

4. Scarcity

• Humans fear missing out on a rare opportunity. • The attacker uses this to make
the victim act quickly. • Example: "MacBook for 1000insteadof 2000 for the first 5
people only!" The victim clicks the link and enters their data.

5. Likability

• If you like or find someone charming/friendly/polite, you'll trust them more. • The
attacker might use an attractive appearance or be very social to break down barriers.
• Example: A social engineer talks to an employee about a TV series they like or a
football team they support. The employee starts to open up and reveal information.

6. Fear

• Fear makes people act without thinking. • The attacker threatens you with
something bad if you don't do what they say. • Example: Ransomware → "If you
don't pay $200, your files won't be returned." • Or a fake message from "FBI" → "If
you don't pay the fine now, we will arrest you." (Can be combined with Authority to be
stronger.)

1. Impersonation (Impersonating a real person)

• The attacker pretends to be someone you know or trust (like a manager or an IT

employee). • Goal: To gain your trust and make you reveal sensitive information or
access to a system. • Example: Someone calls you and says, "I am Mohammed from
IT on the third floor. We have a problem with the devices, and I want to make sure your
device is working fine." • Protection: Always verify the person's identity before
sharing any data + employee awareness.

2. Brand Impersonation

• The attacker imitates a well-known company (like a bank, Amazon, or Microsoft). •

They send you an email or create a fake website using the company's official language
and logo. • Goal: To make you enter your data (like credit card details or passwords).
• Example: In 2020, someone created a Twitter account in the name of Eli Lilly
pharmaceutical company and said, "Insulin is free." People believed it, and the stock
market was affected, causing billions in losses. • Protection: Email Gateways (email
filtering systems) + training + checking links carefully.

3. Typosquatting (or URL Hijacking)

• The attacker creates a website with a similar address to the original site, but with a
different letter or a typo. • Goal: The user who types the address incorrectly enters
the attacker's site. • Example: Instead of gmail.com, they type gnail.com, or instead
of diontraining.com, they type di0ntraining.com (with a zero instead of an O). •
Protection: Training users to focus on links + companies reserving similar domain
names for their protection.

4. Watering Hole Attack

• The attacker compromises a service or website that users frequently visit. • After
gaining control of the site, they inject malicious software into it. • The user, trusting
the site, enters it and gets infected with malware. • Example: Like animals in Africa
going to drink from the same lake, where lions lie in wait. • Protection: Monitoring
threat intelligence sources + malware detection tools + continuous software updates.

The Core Idea:

The attacker starts by interacting with a person (like a receptionist or secretary) and
presents themselves as a trusted person (e.g., an employee from Microsoft support or
a printer/ink company).

They start with a "semi-correct" or "logical" piece of information to give an impression

of credibility (e.g., "You use HP LaserJet, right?").

If the other person corrects them (e.g., "No, we have Konica Minolta C368"), the
attacker gains new information without appearing to ask.

After that, they exploit the built trust to ask for deeper details (e.g., the printer's IP
address), which is a very important step because this IP can be used in a technical
attack (like accessing the printer's interface or pivoting on the network).
Types of Phishing Attacks, including:

• Phishing • Vishing • Smishing • Whaling • Spear Phishing • Business Email

Compromise (BEC)

1. Phishing (Phishing via email)

This attack relies on sending fraudulent email messages that appear to be from a
trusted source, with the aim of convincing individuals to disclose personal information
such as credit card numbers or passwords. These attacks often exploit fear or a sense
of urgency to push the victim to click on malicious attachments or links, which leads to
the theft of sensitive data. Phishing here resembles a fisherman who casts a wide net
in the sea to catch the largest possible number of fish. Attackers send mass email
campaigns to millions or thousands of addresses, hoping that some of them will fall
into the trap. For example, if you receive a link that appears to be from Google asking
you to log in to verify your identity, and you proceed to enter your email and password,
this data will actually be captured and exploited.

2. Spear Phishing (Targeted Phishing)

This is more personalized and targeted phishing. The attacker gathers detailed
information about the organization or victim to make the message more convincing
and harder to detect. The main difference: Phishing = a broad attack, "spray and pray."
Spear Phishing = a narrow attack targeted at specific individuals, with a higher success
rate. For example: Sending a million random messages claiming to be from Bank of
America = Phishing. Sending specialized messages to 500 known Bank customers as a
result of a data breach = Spear Phishing.

3. Whaling (Whale Phishing)

This is a form of Spear Phishing, but it targets high-level individuals such as:

• CEO (Chief Executive Officer) • CFO (Chief Financial Officer)

• Members of the board of directors

It is called "Whaling" because the target is not "small fish" (ordinary employees) but
"whales" (senior officials) whose compromises can lead to massive financial gains for
the attacker.
4. Business Email Compromise (BEC)

Also known as "Email Compromise for Businesses."

This is an advanced attack that targets companies through:

• Compromising a real email account within the company. • Or impersonating a

senior official.

This email is then used to send instructions that appear legitimate to employees, such
as:

• Requesting money transfers. • Requesting sensitive data.

These attacks are very costly. According to the FBI IC3 (Internet Crime Complaint
Center):

• BEC attacks increased by 14.5% in the past year. • They caused losses of up to $2.7
billion for companies.

5. Vishing (Voice Phishing)

An abbreviation for Voice Phishing.

It relies on phone calls where the attacker pretends to be a trusted entity (like a bank
or a government agency) and uses social engineering to convince the victim to disclose
sensitive information. For example, a caller claims to be a bank employee asking for
your banking details or guiding you through steps that will harm your device.

6. Smishing (SMS Phishing)

An abbreviation for SMS Phishing.

It is usually done via text messages that contain:

• Links to fake websites. • Or phone numbers for contact.

It uses a method to create a sense of urgency to push the victim to reply or click.
Phishing attacks have become one of the most used attack methods by attackers in the
current time. These attacks focus on deceiving individuals to disclose sensitive
information, which may lead to financial losses and significant data breaches in your
organization. However, by providing security awareness training to users and
implementing the correct strategies, the risk can be reduced, and the success of any
phishing campaign can be effectively thwarted.

Anti-Phishing Campaigns

• A fundamental tool for training individuals on security awareness. • Aims to teach

employees how to recognize phishing attempts. • Usually includes: 1. Theoretical
training on different phishing methods. 2. Conducting practical simulation of phishing
attacks through a service provider or third party.

Training should cover types of phishing such as:

• Phishing • Spear Phishing • Whaling • BEC (Business Email Compromise) •

Vishing

• Smishing (SMS Phishing)

Also, it should highlight common characteristics of phishing messages, such as:

• Generic greetings (e.g., "Dear Customer") • Grammatical and spelling errors •

Email impersonation

And training must be continuous because threats are constantly evolving.

Common Indicators of Phishing Attacks

1. Urgency

Phishing messages often include language that conveys urgency (e.g., "Offer ends in 4
hours" or "Click now").

2. Unusual Requests

Such as requesting credit card numbers or passwords via email. Remember: your bank
or IT support will never ask you for this information over the phone or email.
3. Mismatched or Suspicious Links

The displayed text (Display Text) might show a legitimate link (e.g., paypal.com), but
the actual link leads to a fake website (e.g., paypal.hacked.xyz). Solution: Hover your
mouse over the link to reveal the true destination.

4. Suspicious Email Addresses

The displayed name (Display Name) might be different from the actual address. For
example, if you receive an email from Amazon support, but the address is
mr.weirdo578@yahoo.com, then it is a phishing message.

5. Poor Grammar & Spelling

This usually indicates a phishing message. However, some attackers deliberately leave
these errors to filter out the most attentive victims and keep the most susceptible ones
for deception.

What to do if you suspect a phishing message?

• Immediately report it to the cybersecurity team (e.g., send it to

phishing@yourdomain.com). • Do not click on any attachments or links within it. • If
the link was actually opened, the affected device must be checked, and an
investigation must be conducted quickly. • The security team should analyze the
message according to the indicators (errors - email - links - urgency). • Send an alert
to the rest of the employees to raise their awareness about the message.

• Review security measures such as: o Updating Spam Filters o Enhancing awareness
training

If you are a security officer or administrator and you send employees an email that
looks like a phishing email, and an employee clicks on the link and falls for it, it will be
recorded that this person needs more training, even if the subject is simple. If they
don't click, then this person is aware and understands.
The Tool:

There is a free program called Phish Insight from Trend Micro.

Go to phishinsight.trendmicro.com

Log in and create an account.

Steps:

1. Choose "Create Campaign" and write the list of people you want to send it to
(e.g., an employee named "Jason").

2. Choose a ready-made template (e.g., LinkedIn request). Its appearance is very

realistic, to the extent that the employee might think it's a real email.

3. Adjust the Sender Email to appear as if it's coming from a legitimate source. You
can write something like "invitations@linkedin.com" but with a slight spelling
mistake (which the employee is supposed to notice and suspect).

4. Set the campaign duration (day, week, month), especially if you have a large
number of employees.

5. Determine what happens if the employee clicks on the link: o It opens a page that
says, "You have been phished! Get training so it doesn't happen again." o Or you
can leave it blank for a summary after the campaign.

The Result:

After sending the emails, you start to see:

• Who clicked and fell for it. • Who didn't.

And based on that, you provide additional training to those who were phished.
The Moral:

Phishing emails are professionally made and look very natural (like from LinkedIn,
Facebook, or even a bank). But always notice:

• The link inside the email might be "websitefun.club" instead of the original site
(linkedin.com). • Sometimes there are spelling errors in the sender's address or email.

Quick Check:

If you receive an email from LinkedIn or any service, do not click on the link inside the
email. Open a browser yourself and go to the site (linkedin.com) and check if there is a
friend request or not.

Fraud

• Meaning: An attempt to deceive you in a criminal/legal way to gain money or

personal information from you.

• Difference from ordinary theft: o Theft = The attacker takes something from you
directly or by force. o Fraud = You yourself hand over the item after being tricked
(deceived).

• Common Example: o Identity Fraud / Identity Theft: ▪ The attacker takes your
personal information (like SSN/national ID, date of birth, address, etc.). ▪ They can
use it to apply for a credit card, buy something in your name, or even work with your
identity. ▪ The Difference: ▪ Identity Fraud: Uses only part of your data (e.g., your
credit card) to buy with it. ▪ Identity Theft: Completely impersonates you (e.g.,
applies for a loan or a job) with your identity. ▪ In general, people use the term
Identity Theft for both.

Scam

• Meaning: Any process of deception or trickery to trap you.

• Very Common Example: o Invoice Scam: 1. The Simple Method (Social
Engineering): o The attacker calls your company, claiming to be from a company
selling office supplies or printer ink. o They ask you, "Are you still using HP printers?" o
The employee either agrees or corrects them and says the correct model. o The
attacker says, "Okay, I will send you the order, it will arrive tomorrow." o The employee
says, "Okay." ← This is recorded as approval. o A shipment (e.g., toner/ink) actually
arrives at the company with a very expensive invoice. o The invoice is for
950, whilethenormalpricef ortheitemis100.

When the company tries to return the product, they find that it says "No replacement /
No return" and they have a recorded voice approval.

2. **The Technical Method (Phish-Res / Malware):**

o The attacker sends an email with a PDF invoice to the Accounting
Department.
o When the employee opens the PDF, it contains malicious code
(Malware/Remote Access Trojan).
o The code gives the attacker full access to the employee's device,
which can then reach the entire company network.

Why are Fraud & Scam classified as Social

Engineering?

Because the attacker does not rely on a technical breach in the first place, but rather
on deceiving the victim to hand over the desired item (access/money/information)
themselves.

What are Influence Campaigns?

These are deliberate and planned campaigns to influence people's opinions or

behavior towards an idea, person, or group.

• They can be good, like campaigns encouraging people to get vaccinated against
diseases. • And they can be evil/malicious, like campaigns spreading false rumors to
manipulate people's minds and direct them in political issues or elections.
What is the role of social media here?

With social media, it has become very easy for information to reach millions in
seconds, without anyone checking or filtering it. This is very dangerous because any
information (even if it's false) can spread very widely.

Misinformation

• Meaning: Information that is inaccurate or false. • But it was spread without intent
to harm. • Meaning someone believed and spread a false rumor. • Example: In the
early days of Corona, people were spreading that drinking chlorine or gargling with
salt water kills the virus. They themselves believed the false information and did not
intend to harm.

Disinformation

• Meaning: Deliberately false information, created by someone who knows it is false.

• Goal: To mislead or deceive people to gain something (political, economic, or to
cause division among people). • Example: Russian interference in the 2016 US
elections. They created fake Twitter and Facebook accounts and spread false news to
direct people to vote for a specific person. • Another Example (not political): 🪙
Twitter Bitcoin Scam 2020 • Hackers compromised very large accounts like Bill Gates,
Elon Musk, and Obama. • They posted tweets saying, "Send me Bitcoin, and I will
send you back double." • People believed it because the accounts were very
trustworthy. • The Result? Hackers gained huge amounts of money, and victims lost
theirs.

Why is this topic dangerous?

• It can shake people's trust in institutions or the state. • It can divide society (like
what happens between two sects or parties). • It affects critical decisions like
elections. • It makes people spread rumors that harm their money or health.
How do we face this issue?

1. Critical Thinking: Don't believe anything unless you verify it from a trusted
source.

2. Fact-checking: Verify information (look at more than one source).

3. Accountability and Transparency: Platforms like Twitter and Facebook must

have alerts and censorship for misleading posts.

4. Media Literacy: People should understand what a rumor is and how to

distinguish it.

Types of Social Engineering Attacks:

Diversion Theft

• Idea: The attacker distracts you with something to steal from you. • In Reality:
They might create a small fight or commotion to steal a bag. • On the Internet: Like
DNS Spoofing, when you type a correct website (e.g., facebook.com), it redirects you to
a fake website that looks similar, so you type your username and password, and they
get stolen.

Hoaxes

• These are fake news or messages distributed on social media or email. • Goal:
Either to scare you or to make you download Malware. • Example: A message that
says, "Congratulations, you won an iPhone, click here," or a fake alert that says, "Your
computer has a dangerous virus" (which is not true). • Solution: Check the source
and think with your brain.

Shoulder Surfing

• An attacker looks over your shoulder while you type your password or ATM PIN. •
They don't have to be standing next to you; they can use a camera from a distance. •
Solution: Use privacy screens at work and cover the keypad with your hand when
entering your PIN.
Dumpster Diving

• An attacker searches through discarded papers or trash to find sensitive data. •

Example: Client data, invoices, contracts. • In the Digital World: Searching through
files or the Recycle Bin that are "deleted but still exist." • Solution: Shred papers and
delete files securely (Secure Delete).

Eavesdropping

• Simply: Listening to a private conversation without permission. • Digitally:

Intercepting the connection between you and a server (Man-in-the-middle attack). •
Solution: Use encryption and make sure websites are HTTPS.

Baiting

• The attacker leaves an enticing file or USB to make the victim open it. • Example:
An employee finds a flash drive in the parking lot labeled "Employee Salaries." They try
it on their computer, and the device gets infected with a virus. • Solution: Do not use
any file or USB from an unknown source.

Piggybacking vs. Tailgating

• Tailgating (without their knowledge): • An attacker enters behind an employee

without the employee noticing. • Example: Someone walking behind an employee
who is opening the door with their card. • Piggybacking (with their knowledge): •
An attacker convinces an employee to let them in willingly.

• Example: Someone wearing a delivery uniform says to an employee, "Can you open
the door for me? My hands are full." The employee helps them and lets them in.