You are here

Social Engineering Education

(Posted for Tuesday, January 21, 2020)

The Psychology of Social Engineering – Why It Works

Social Engineering, in the context of Information Security, is a threat to Privacy, as it is the psychological manipulation of people into performing actions or divulging confidential information.  Social Engineering is a type of confidence trick for the purpose of information gathering. 

Social Engineering relies heavily on the six Principles of Influence established by Robert Cialdini, a behavioral psychologist, and author of Influence: The Psychology of Persuasion. Those six key Principles are: Reciprocity, Commitment and Consistency, Social Proof, Authority, Liking, and Scarcity.

  1. Reciprocity – People tend to return a favor, thus the pervasiveness of free samples in marketing.

  2. Commitment and Consistency – If people commit, orally or in writing, to an idea or goal, they are more likely to honor that commitment because they have stated that that idea or goal fits their self-image. Even if the original incentive or motivation is removed after they have already agreed, they will continue to honor the agreement.

  3. Social Proof – People will do things that they see other people are doing.

  4. Authority – People will tend to obey authority figures, even if they are asked to perform objectionable acts.

  5. Liking – People are easily persuaded by other people whom they like.

  6. Scarcity – Perceived scarcity will generate demand. For example, saying offers are available for a "limited time only" encourages sales.

Social Engineers are aware of these human biases and take advantage of them in a variety of ways.  Social Engineering attacks commonly involve:

  • Pretexting: Masquerading as someone else

  • Baiting: Enticing the victim with promises of something of value

  • Blackmail: Threatening to reveal something that the target wishes to be kept secret

  • Quid Pro Quo (a variant of Baiting): Promising something to the victim in exchange for their help

Social Engineers use their knowledge of how people think in a variety of ways.  By targeting the human element, they increase their probability of a successful attack by bypassing defenses designed to protect against “conventional” hacking.

Tomer Teller, a Security Evangelist and a Researcher at Check Point Software, likens Social Engineering to Hacking the Human Mind, explaining in a 2012 Forbes Guest Post that “Social engineering is about hacking the human mind, something that in many ways is significantly easier than finding a new hat vulnerability and using it as a gateway into your enterprise.”  Teller names “Lure” as key to successful Social Engineering attacks: “While hacking a system requires knowledge of programming vulnerabilities, hacking the human mind requires a different kind of knowledge – specifically, what types of e-mails or links is the victim most likely to click on.”



(Posted for Wednesday, January 22, 2020)

Tricks of the (Social Engineering) Trade - The Methods a Social Engineer Uses to Trick People into Giving Up Sensitive Information


Phishing attacks are the most common type of attacks leveraging social engineering techniques. Attackers use emails, social media and instant messaging, and SMS to trick victims into providing sensitive information or visiting malicious URL in the attempt to compromise their systems.

Phishing attacks present the following common characteristics:

  • Messages are composed to attract the user’s attention, in many cases to stimulate his curiosity providing a few information on a specific topic and suggesting that the victims visit a specific website to gain further data.

  • Phishing messages aimed to gather user’s information presents a sense of urgency in the attempt to trick the victim into disclosing sensitive data to resolve a situation that could get worse without the victim’s interaction.

  • Attackers leverage shortened URL or embedded links to redirect victims to a malicious domain that could host exploit codes, or that could be a clone of legitimate websites with URLs that appear legitimate. In many cases the actual link and the visual link in the email are different, for example, the hyperlink in the email does not point to the same location as the apparent hyperlink displayed to the users.

  • Phishing email messages have a deceptive subject line to entice the recipient to believe that the email has come from a trusted source, attackers use a forged sender’s address or the spoofed identity of the organization. They usually copy contents such as texts, logos, images, and styles used on the legitimate website to make it look genuine.


The term pretexting indicates the practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information.

Attackers leveraging this specific social engineering technique use adopt several identities they have created during their carrier. This bad habit could expose their operations to the investigations conducted by security experts and law enforcement.

The success of the pretexting attack heavily pretends on the ability’s attacker in building trust.

Most advanced forms of pretexting attacks try to manipulate the victims into performing an action that enables an attacker to discover and exploit a point of failure inside an organization.

An attacker can impersonate an external IT services operator to ask internal staff for information that could allow accessing system within the organization.

Baiting and Quid Pro Quo Attacks

Another social engineering technique is the Baiting that exploits the human’s curiosity. Baiting is sometimes confused with other social engineering attacks; its main characteristic is the promise of a good that hackers use to deceive the victims.

A classic example is an attack scenario in which attackers use a malicious file disguised as software update or as a generic software. An attacker can also power a baiting attack in the physical world, for example disseminating infected USBs tokens in the parking lot of a target organization and wait for internal personnel insert them in the corporate PC.

The malware installed on the USB tokens will compromise the PCs gaining the full control to the attacks.

A Quid Pro Quo attack (aka ‘something for something’ attack) is a variant of baiting and differs in that instead of baiting a target with the promise of a good; a quid pro quo attack promises a service or a benefit based on the execution of a specific action.

In a Quid Pro Quo attack scenario, the hacker offers a service or benefit in exchange for information or access.

The most common quid pro quo attack occurs when a hacker impersonates an IT staffer for a large organization. That hacker attempts to contact via phone the employees of the target organization then offers them some kind of upgrade or software installation.

They might request victims to facilitate the operation by disabling the AV software temporarily to install the malicious application.



(Posted for Thursday, January 23, 2020)

Combat Social Engineering Attacks with Critical Thinking

Please take a minute to review this short article on Critical Thinking and how it is a defense against Social Engineering Attacks.  Article:


NOW, consider the following scenarios:

Scenario #1:  You get a call from the “Help Desk.”  The person calling explains that there is a problem with your computer.  They ask for your Username and Password to access your machine to be able to investigate and remediate the problem.   

Think (Critically) About It:  Providing your login credentials to the Caller is a liability.  A password is your authentication, and as soon as even one other person knows it, it can no longer prove your identity.  Any activity done on your machine, with your password, is traced back to you.  Do you really want to be responsible for the actions of another? 

Additional Background/Perspective:

Principles of Influence Used:  Reciprocity and Authority (Review the Post for Tuesday, January 21, 2020: The Psychology of Social Engineering – Why It Works)

Emotional Triggers Used:  Fear, Trust, Curiosity, Greed  


Help Desk Graphic

Scenario #2:  You get a text from FedEx asking questions about your preferences around a pending delivery.  There is a link to click to provide the needed information.

Think (Critically) About It: Why would FedEx reach out to YOU for information on THEIR operations?  They wouldn’t.  They have all the information they need, provided by the order.    

Additional Background/Perspective

Principles of Influence Used:  Reciprocity and Authority (Review the Post for Tuesday, January 21, 2020: The Psychology of Social Engineering – Why It Works)

Emotional Triggers UsedFear, Trust, Curiosity, Greed  


FedEx Text Message Scam

Scenario #3:  You get an email with an Amazon Gift Card Offer.

Think (Critically) About It:  Why would Amazon be giving out $1,000 Gift Cards, randomly?  Is it a good Business Practice to give away large sums of money?  Does Amazon need to incentivize Sales? 

Additional Background/Perspective

Principles of Influence Used:  Reciprocity, Liking and Scarcity (Review the Post for Tuesday, January 21, 2020: The Psychology of Social Engineering – Why It Works)

Emotional Triggers UsedFear, Trust, Curiosity, Greed  


Amazon Gift Card Offer Scam


Look Out!

Tips on Identifying Phishing (a type of Social Engineering) Emails

Social Engineering Attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data.  Commonly, Social Engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file.  Since about 91% of data breaches come from phishing, this has become one of the most exploited forms of Social Engineering.  Social Engineering Attacks that target companies or individuals are most easily and successfully launched through email.

Some of the most effective Subject Lines are often innocent and simple like these:

  • A Special Invitation Advisory: Your online file was accessed
  • Celebrate Mom this Sunday with an exquisite $29.96 bouquet
  • Get noticed and watch your career take off
  • Learn about harp
  • Mother’s Day bouquets with DESIGNER VASES
  • Service cancellation May 10
  • Welcome to the Who’s Who Connection
  • Confirm for your delivery
  • Confirm your 3K transfer by Monday
  • FBI letter of notification [code 210]
  • Incoming fax
  • I think you'll like this
  • New health care reform laws are in
  • No interest for the first year
  • Notice of payment
  • Treat as urgent and get back to me
  • Your installation
  • Your phone number

Once the Recipient opens an email, the message has to be compelling enough to engineer a click of a link or attached file in order to initiate or deliver the Attack.  Phishing has been increasingly successful because the Attackers are creating more legitimate looking emails and the Attacks are more sophisticated.  Thanks to the prevalence of Social Media, an Attacker can look up everything they need to know about a person and their interests, craft an email specially tailored to that person, and email something directly to them, which increases the chances of that person clicking.

Phishing Emails are:

  • Emails with a very professional look and presentation.  These emails may include spoofed email addresses of legitimate companies or seemingly innocent pitches such as the sale of Mother's Day flowers.
  • Emails that are very short and to the point, often citing a bogus invoice, blocked payment, delivery, or fax.
  • Emails that are meant to engineer click-behavior by intimidation, such as an email made to look like it is from the FBI, a bank authority, or the IRS.

In the examples of Phishing Emails that follow, look for these features indicative of forgery:

  • Spelling, Grammar and Punctuation Errors
  • Demands Urgent Action
  • Differing Email Addresses (Can be discovered by hovering your mouse over the Sender’s Email Address to see if it matches the email address that is shown.)
Wells Fargo Phishing example.