# Sec+ #001: Different types of Social Engineering Techniques

Marvin’s Phone rings and he picks it up. Hello?

Scammer: Good afternoon Mr. Marvin, this is Kelvin from the security department of your bank. We've observed some suspicious behavior on your account and need your help right away to remedy the problem.

Marvin: Oh, you're serious? What kind of activity are we discussing?

Scammer: Mr. Marvin, we suspect unauthorized access to your account. Many of our valued customers have faced similar issues recently, but we were able to resolve them by generating a One-Time Password (OTP) to validate their account ownership. It will be delivered to your phone, and I will guide you through the steps.

Marvin: Okay, Just let me know what I need to do.

Scammer: Please provide the OTP just sent to your phone.

Marvin provides the OTP to the scammer(caller)

Scammer: You've done an excellent job. For security reasons, we must now check a few additional details. Please confirm your birth date and the last four digits Debit Card.

Marvin: Sure, my birth date is (*provides details*), and the final four digits of my Debit Card are(*provides details*).

Scammer: Thank you so much. Your account has been secured, and we thank you for your assistance. Is there anything else I can do for you today?

Marvin: No, Thank you.

Marvin hangs up, unaware of the scammer's deception. Days later, he checks his bank account and discovers that it has been fully drained. In this terrible scenario, Marvin falls prey to the social engineering fraud, unintentionally providing the scammer with his OTP and personal information. His discovery comes too late, as his bank account has been fully wiped. OUCH!!!

Sit back, relax, and sip your favorite drink as I take you on a delightful adventure!!!

1.1 What is Social Engineering?

The term "social engineering" refers to a variety of strategies used to "compel" people into disclosing information or acting on behalf of a threat actor. Social engineering is a type of attack that primarily targets Humans. It frequently involves some type of social connection and capitalizes on positive characteristics such as a willingness to help others. It's also known as "hacking the human"

1.2 Social Engineering Techniques

Social engineering attacks can take many different forms and can be carried out everywhere there is human interaction. The most popular types of social engineering techniques are as follows.

#1: Phishing

Phishing involves deceiving victims into disclosing sensitive information through the fraudulent use of email.
It often poses as a reliable source, such as a reputable organization, to obtain personal information.
This technique combines social engineering with spoofing to create the appearance of a legitimate entity to manipulate the target.
NEVER CLICK A LINK IN AN EMAIL; rather, go directly to the website

#2: Smishing

Smishing, a phishing variant, uses SMS text messages to trick victims into disclosing critical information.
The attack starts with an SMS message that directs the user to a URL that acts as a platform for multiple attack vectors, including potentially malware-infected content.

#3: Vishing

Vishing includes manipulating human relationships via phone calls or IP-based voice messaging services (VoIP) to collect sensitive information.
The channel for this approach, also known as voice phishing, is voice communication technology.

#4: Spam

Spams are unsolicited emails, sometimes known as junk email.
Spam is a social engineering approach that involves delivering unsolicited and false messages to recipients to manipulate them.
Its goal is to dupe people into acting or disclosing critical information.
Spammers take advantage of human vulnerabilities by mimicking reputable sources and employing psychological techniques

#5: SPIM

SPIM, often known as spam via instant messaging, involves the unsolicited distribution of deceptive and unwanted messages via instant messaging platforms.
These messages frequently include malicious links or attempts to collect personal information.

#6: Spear phishing

Spear phishing is a word used to describe a phishing attempt that targets a specific person or group of people who have a common trait.
It is a type of phishing that uses email or the internet to target specific persons.
It is a phishing scam in which the attacker possesses information that makes a certain victim more likely to be fooled by the attack.
Targeted phishing messages, customized to individual users and incorporating inside information, enhance the attack's credibility.

#7: Dumpster diving

Dumpster diving involves sorting through discarded or disposed materials from an organization or individual to find valuable papers or possibly sensitive information.
It is the technique of searching through trash or abandoned removable media for usable data that can be abused during a penetration attempt.

#8: Shoulder surfing

Shoulder surfing is a technique to watch someone enter in their sensitive information such as password or PIN and then steal it.
Despite the name, the attacker may not even need to be close to the target, they could utilize CCTV or powerful binoculars to view the victim directly from a distance.
Use privacy filters to prevent shoulder surfing

#9: Pharming

Pharming is a type of impersonation attack in which customers are directed from a legitimate website to a fake website with a similar appearance.
Pharming can be accomplished through two methods: poisoning DNS servers or exploiting vulnerabilities in clients.
Pharming, unlike other forms of social engineering, utilizes a passive method that manipulates the victim's computer's DNS process, resulting in users being redirected from legitimate websites to malicious ones.

#10: Tailgating

Tailgating, also known as piggybacking, is a social engineering technique that involves closely following an authorized individual to gain unauthorized access to a secure area.
The attacker uses this approach to take advantage of someone who has properly opened a door or passed through a checkpoint using their access card or PIN.

#11: Eliciting information

Elicitation of information is a technique of social engineering that entails influencing people to reveal sensitive information.
It necessitates the development of trust, the establishment of rapport, and the utilization of human psychology.
Often Performed via vishing

#12: Whaling

Studies show that "The blue whale (Balaenoptera musculus) holds the title for being the largest animal on Earth"

Whaling, also known as CEO spear phishing, is a type of phishing that specifically targets senior executives or rich individuals.
It is aimed primarily at upper-level management inside a firm, such as CEOs and other high-profile persons deemed "big fish" targets.

#13: Prepending

Prepending is a social engineering method in which an attacker inserts specified characters or phrases into the beginning of a website's URL to fool users.
The attacker's goal in changing the URL is to establish a false sense of confidence and deceive victims into disclosing sensitive information.
In the case of cyvally.com, for example, an attacker may establish a malicious URL such as "login.cyvally.com" to trick users into submitting their credentials.
To defend themselves from social engineering attempts, users must be cautious and validate the entire URL.

#14: Identity fraud

Identity theft is a type of impersonation in which an attacker creates or unlawfully obtains and uses another person's personal information.
It makes use of certain details from a person's identification.
Credential databases (haveibeenpwned.com) allow individuals to check if their personal information, such as email addresses or usernames, has been compromised in data breaches.

#15: Invoice scams

An invoice scam, also referred to as invoice fraud or business email compromise, tricks individuals or organizations into making false payments or disclosing sensitive financial information.
Attackers create fake invoices or mimic legitimate payment requests to deceive victims into transferring funds to their own accounts.
To protect against invoice scams, it is crucial to establish robust verification systems and educate staff about the risks associated with fraudulent payment requests.

#16: Credential harvesting

Credential harvesting is a social engineering technique used to obtain sensitive user credentials, such as usernames and passwords.
The credentials obtained are valuable for unauthorized account access and can lead to identity theft and financial crime.
To protect against credential harvesting, verify the legality of requests, use strong passwords and multi-factor authentication, keep software up to date, and educate users about the risk involved with this technique

#17: Reconnaissance

Reconnaissance refers to gathering information regarding a target to uncover vulnerabilities and prepare effective attacks.
To get important information, attackers employ a variety of techniques such as open-source intelligence, other social engineering techniques, and physical surveillance.
Reconnaissance assists attackers in creating profiles of their targets, understanding their behavioral patterns, and developing specialized social engineering strategies.

#18: Hoax

It is a threat that doesn't genuinely exist
Hoax refers to a deceptive scheme intended to manipulate individuals for personal gain.
Social engineers employ hoaxes to distribute false information, invent scenarios, or fool targets to elicit specific behaviors or obtain sensitive information.
To avoid falling prey to social engineering hoaxes, it is vital to use critical thinking, and skepticism, and verify information sources.

#19: Impersonation

Impersonation entails claiming to be someone else, usually a trustworthy entity, to deceive and manipulate people for personal gain.
To gain the target's trust, social engineers adopt the identity or persona of a colleague, authority figure, or trusted organization.

#20: Watering hole attack

Watering hole attack occurs when an attacker identifies specific groups or organizations, learns which websites they visit, and injects malicious code into those websites.
It is another passive strategy in which the threat actor does not have to risk direct communication with the target.
To prevent, Apply Defense-in-depth mechanism, Firewalls and IPS, Anti-virus/Anti-malware

#21: Typosquatting

Typosquatting, also known as URL hijacking in which an attacker registers a domain name with a frequent misspelling of an existing domain so that when a user enters a URL into a browser, they are directed to the attacker's website.
This means that the threat actor registers a domain name that is extremely close to a legitimate one.
For instance, "cyvally.com" could be used as a typosquatting domain for "cyvalley.com."

#22: Pretexting

Pretexting is a social engineering method that entails fabricating a fictitious scenario or identity to fool others and obtain sensitive information from them.
To acquire the target's trust and persuade them to disclose confidential data, attackers employ elaborate stories or mimic trusted persons.

#23: Influence campaigns

An influence campaign is a well-planned effort by a highly capable institution, such as a nation-state or terrorist organization, to influence public opinion on a certain topic.
These campaigns frequently employ a mix of tactics, such as espionage, disinformation, hacking, and the exploitation of social media platforms.
The goal is to change people's perceptions and impact public debate in support of the campaign's goals.

1.3 Principles (reasons for effectiveness) of Social Engineering

Social engineering is a popular and successful malevolent technique. Because it takes advantage of basic human trust, social engineering has shown to be a particularly effective means of persuading individuals to perform behaviors they would not otherwise perform. Social engineering attacks must adhere to one or more of the following principles to be effective. Using the scenario above, Principles of Social Engineering are:

Authority: This is using a position of power or competence to acquire the target's trust and compliance.

Using the idea of authority, the scammer appears as a representative from Marvin's bank's security department. The scammer obtains Marvin's trust and cooperation by claiming to have the competence and power to remedy the alleged issue.

Intimidation: This is the use of fear or threats to pressure the target into doing specific tasks or disclosing sensitive information.

By highlighting unusual activity on Marvin's account, the scammer generates a sense of urgency and fear. This intimidating strategy is intended to make Marvin more receptive to the scammer's instructions without questioning them.

Consensus: This is influencing the target by evidence that others have already taken the desired action.

The scammer achieves consensus by telling Marvin that his help is required to remedy the security issue. By insinuating that other customers have also been affected, the fraudster hopes to make Marvin believe that his actions are consistent with those of others.

Scarcity: This is in order to motivate prompt compliance and create a sense of limited supply or urgency.

By emphasizing the necessity for fast action, the scammer creates a sense of scarcity. The scammer instills anxiety in Marvin by claiming that his account is at jeopardy and demands the One-Time Password (OTP) without delay, prompting Marvin to supply the needed information swiftly.

Familiarity: Creating a connection or relationship with the target through the use of shared experiences or personal information.

The scammer addresses Marvin by name, bringing a personal touch to the interaction. The scammer seeks to establish a connection and build confidence in this manner, making Marvin more inclined to agree with the scammer's requests.

Trust: Deception and manipulation are used to instill trust and reliance in the attacker.

The scammer earns Marvin's trust by impersonating a bank official, exhibiting knowledge of Marvin's personal information, and assuring him that the activities are required for account protection. Because of this trust, the scammer is able to obtain crucial information from Marvin without raising suspicions.

Urgency: Creating a time-sensitive situation that forces the target to respond fast and without careful thought.

The scammer instills a sense of urgency by claiming that quick action is required to remedy the purported security threat. The scammer puts pressure on Marvin to supply the sought information immediately by emphasizing the need for collaboration and prompt response.

These principles of social engineering collectively contribute to the success of the scam, as Marvin falls victim to the deception and unknowingly provides the scammer with the necessary information to drain his bank account. It serves as a reminder of the importance of being vigilant and cautious when dealing with requests for personal information, especially in situations involving authority, urgency, and unfamiliar or unexpected interactions.

"Social engineering is a dance of trust and deceit, where the attacker leads and the victim follows, unaware of the dangerous steps they are taking."
- Brian Krebs

1.4 Review Questions