Understanding However, this assumption is not true.









Understanding Social Engineering

Some people may believe hackers only use high-end hacking
tools and techniques to breach the information security defense of an
organization, personal accounts, mobile devices, and so on. However, this
assumption is not true. Hackers have learned one of the easiest ways to hack
your computer: social engineering by exploiting human psychology. It is much
easier to trick someone into revealing a password for a system than to exert
the effort of hacking into the system.

Social engineering is one of the most prolific and effective
means of gaining access to secure systems and obtaining sensitive information,
yet requires minimal knowledge of technology. Social engineers are creative,
and their tactics can be expected to take advantage of new technologies and situations,
therefore technical protection measures are usually ineffective against this
kind of attack. It does not matter how many locks your doors and windows have,
if you have guard dogs or home security systems. If you trust the person at the
door who says he/she is the mail person or food delivery person and you let
him/her in without first checking to see if he/she is legitimate you are
completely exposed to whatever risk he/she represents.

In cyber-security, people are often the weakest link in the
chain. Social engineering refers to the manipulation of individuals in order to
coerce them into carrying out specific actions or to reveal information that
can be of use to an attacker. In addition, social engineering itself does not
necessarily require a large amount of technical knowledge in order to be
successful. Instead, Alan Woodward (2012) believed that social engineering
preys on common aspects of human psychology such as curiosity, courtesy,
gullibility, greed, thoughtlessness, shyness and apathy (CNN.com). This paper
describes Social Engineering and the various forms of Social Engineering, and
how they take advantage of human behavior. It also discusses ways to fight and
prevent social engineering attacks, and highlights the importance of policy and
education in winning the battle.

The Psychology of Social Engineering

People’s behavior can have a big impact on information
security.  Although social engineering
results in employees simply handing valuable information to an attacker, it is
important to note that the employee generally does not do so maliciously. It is
important for IT professionals to understand the ways in which social engineers
take advantage of human Psychology in order to carry out their attacks. Thomas
Peltier (2006) suggests that there are four fundamental aspects of human nature
that social engineers prey on qualities of human nature: the desire to be
helpful, the tendency to trust people, the fear of getting into trouble and the
willingness to cut corners.

Desire to Be Helpful

One of
the common targets for social engineer is customer service representative who
provides information and supports external customers, because the
representative tends to be easily accessible. Employees are usually trained
well and want to make sure the customer is satisfied, and the best way to offer
exceptional customer experience is to provide positive responses from those
needing assistance. Most of the employees want to be helpful and this can lead
to giving away too much information.

Tendency to Trust People

nature is to trust others until they prove that they are not trustworthy. Kevin
Mitnick and William Simon (2003) describes a fatal flaw that most people share:
a tendency to have trust and faith in each other. If someone reveals a certain
aspect of their personality or shares a personal anecdote, it’s easy to build
trust off of this alone.  This blind
trust in others has resulted in thousands of people believing stories. While it
is possible that the information from the internet has improved, our defenses
against some obvious attempts at social engineering, this has not changed the
fact that people are still vulnerable to well-crafted social engineering
attacks. Especially, for someone who has the right story, voice, speech
pattern, body language, etc. we can still be fooled.

Fear of Getting into Trouble

It is
undeniable that fear can be a powerful motivator. Social engineers often take
advantage of fear to bypass one’s rational thought process and create a false
sense of urgency. Examples may include fear of getting someone in trouble, fear
of not meeting a deadline, etc. Regardless of the situation, the pressure to
act quickly may override people’s ability to stop and think about what is
really happening. Fear, coupled with false urgency, can totally short people’s
thought processes and make them vulnerable to complying with Social Engineers’
requests. Management must support all employees that are doing their assignment
and protecting the information resources of the enterprise. Make sure your
fellow co-workers are educated on these tactics as well.

Willingness to Cut Corners

             Social engineers exploit people’s laziness which is
the willingness to cut corners, especially when the shirking appears to be
relatively harmless or unimportant, to attack your organization.  This is because people, unlike computers,
will get distracted or become tired. 
They leave their password on the screen or filing away confidential paperwork
and leaving it exposed for others to see. Employees adopt a level of effort
they are able to sustain throughout the week to get them to the weekend. When a
situation arises that could require a substantial amount of extra work, many
people will choose to assume the person is legitimately asking for the
information because it is more convenient to do.

Types of Social Engineering Attacks

            Social engineering can take many
forms depending on the medium used to implement it. There are human-based attacks
such as tailgating and technology-based attacks such as phishing. Looking into
both human and technology attacks, there are seven examples and summaries
listed below.


            Phishing is the
most common type of social engineering. Bisson (2015) believes
that most phishing scams tend to have the following characteristics:

Seek to obtain sensitive information, such as
usernames, passwords, social security numbers, and credit card details.

Use link shortened or embed links that redirect users
to suspicious websites in URLs that appear legitimate such as a renowned

Incorporates threats, fear and a sense of urgency in an
attempt to manipulate the user into acting promptly.

Phishing attacks are not personalized to their victims. The attackers
often disguise themselves as a trustworthy organization to send masses of
people at the same time. For example, [email protected], an attacker may
send the user an email seemingly from a reputable organization that requests
confidential such as username and password, often suggesting that there is a
problem or it is just to confirm user’s identity. When users respond with the
requested information, attackers can use it to gain access to the accounts. Alternatively, the attacker may
be able to trick the user download an infected attachment contained within the
email message. An example includes a message with attachments. Once the user
downloads and opens the attachments, he/she will be directed to a HTML page to
be asked to fill in their credentials. Because this attachment is stored
locally, it is less likely to be blocked by anti-phishing mechanisms. Some
attachments also try and prevent anti-phishing software detecting the fraudulent

Spear Phishing

According to the Federal Bureau of Investigation (2009), spear-phishing
attackers hacked into an organization’s computer network or combing through
other websites and social media sites. Then the attackers send emails that look
like the real thing to targeted victims, offering all sorts of urgent and
legitimate explanations as to why they need your personal data. Finally, the
victims are asked to click on a link inside the e-mail that takes them to a
phony but realistic-looking website, where they are asked to provide passwords,
account numbers, user IDs, access codes, PINs, and so on.

Spear phishing is very similar to phishing. But it is personalized and
it requires
an extra effort on the side of the attackers. Instead of casting out thousands
of emails randomly hoping a few victims, spear phishing uses more sophisticated
techniques targets groups of people with something in common-they work at the same
company, bank at the same financial institution, attend the same college, order
products from the same website.


social engineers refer to vishing as the old fashioned way– using the phone.
Vishing exploits an individual’s trust in phone services, as the victim is
often unaware that fraudsters can use methods such as callers’ ID spoofing and
complex automated systems to commit this type of scam.


Baiting is a technique
in which the attacker places a ‘bait’ for the victim to take on their own
initiative. There are several ways to do it. Attackers leave infected optical
disks or mobile data storage at public place with a hope someone picking it up
and using it on their devices.  The other
way is the attackers direct the users to a website which may have free movies,
books or the others downloads, and then ask the users provide their credentials
to a certain site.


is based on a scripted
scenario where the social engineer pretends to need information from the victim
in order to extract personally identifiable information or some other information. 
After establishing trust with the targeted individual, the social engineer
might ask a series of questions designed to gather key individual identifiers
such as confirmation of the individual’s social security number, father’s
maiden name, place or date of birth or account number. 


            Tailgating or “Piggybacking” is when a social engineer gains
access by following an authorized user to restricted areas where
radio-frequency identification authentication is required. For example,
when a social engineer wants to gain physical access to an organization, a
common tactic is to follow an employee into the building in order to bypass the
ID scan. In this case, the employee is following standard social conventions by
holding the door for people behind them without checking if the person behind
them hhas a valid ID. The employee would not feel as if they were doing
anything wrong.

Quid Pro Quo

            Quid Pro Quo occurs when an attacker promises
service or gifts in exchange for information.  The attacker could
impersonate an IT support person who calls all direct lines within a company
hoping to reach a person with a legitimate problem.  Once this person is
reached, the attacker will ask this person to follow the
instructions. Convinced that network access credentials are required to
fix the IT problem, the victim willingly shares this sensitive information and
gives the attacker direct control of the company computer or access to the
company network. It is interesting to think about this how many times have you
called tech support and waited on hold for a long time? How many times has tech
support called you wanting to offer you help? The answer is probably zero. 

Quid Pro Quo tactics also extends
beyond IT fixes.  Less sophisticated real world scenarios which people
revealed their network access credentials in return for free gifts. Here is an
example of Quid Pro Quo. It is a “Congratulationss! You have won a prize!”
website claims you have just won a gift from Amazon. If you click the link, it
takes you to a survey page where several people claim they received their
freebie. Once you enter your personal information they can then target you with
more junk or they gain access to your amazon account. 


Social Media

Last, even
beyond human-based and technology-based types of social engineering, there is a
third category. It can be considered technology access but it is really more of
a hybrid between human-based and technology-based access because it requires
technology to access an individual’s information but using that information to
an attacker’s advantage may include some sort of “virtual” interaction i.e. a
message on Facebook or a comment on an Instagram post (Algarni, Xu, Chan, &
Tian, 2014).

 Many people today tend to be free in sharing their personal information
with what they believe is harmless online. But hackers view this information
quite differently; especially the identity theft experts. Social engineering on
social media is not about targeting information about users. It can also be used
to create fake profiles that appear legitimate for the purposes of garnering
connections and trust (Algarni, Xu, Chan, & Tian, 2014).

Mitigating the Damage of Social Engineering

            The best way
to mitigate the damage of social engineering is to avoid it from happening.
Building awareness of social engineering is critical to everybody. A
commonly suggested defensive tactic against social engineering attacks is to
ensure all employees receive (mandatory) training in recognizing and dealing
with social engineering attacks. The training should be up-to-date and must
take into consideration all the factors that affect the organization. It is
fine that some organizations perform security awareness training by using a
third party service. This is accomplished typically by either contracting a
security consulting firm to present a presentation or purchasing a third party
training application. The organizations need to make sure that any and all
training  covers a basic knowledge of IT
security and also fits well with the trainees’ personalities and

Although an organization may have a proper training program
for security, the threat of social engineering still exists. In this case, a
proper security plan should incorporate safeguards designed to mitigate the
extent of damage that a social engineering attack could cause. There are three
steps that organizations can follow.

By ensuring that users could only have access to the
information and systems that they absolutely need to do their jobs. The organization
can limit the amount of damage that a social engineer with access to people’s
account could cause.

By ensuring that the company retains an access log, it
will be possible for the company to find out what the attacker was able to
access before the company was able to cut off his or her access.

Companies need to perform backups on a regular basis
and ensure that an attacker would not be able to destroy the backup. Backing up
files can protect against accidental loss of user data. An attacker could crash
a computer’s operating system or data may be corrupted or wiped out
by a hardware problem.


Social engineering poses a significant threat to firms of
all sizes. Everyday individuals are impacted by a variety of social engineering
scams. The challenge for organizations is to continually review their current
security awareness training program and to ensure that all employees receive
regular and up to date training. This approach is expensive, but ensures a
longer term benefit for the organization. Proper understanding of social
engineering, technology trends and organizational capacity will reduce the
likelihood of a serious attack.  Of
course as this paper is written the technology has already evolved and social
engineers are planning and testing out the next strategy of manipulation and
crime.  The challenge is not to “keep up”
with the social engineers but to stay ahead.




A., Xu, Y., Chan, T.,& Tian, Y.(2014). 
Social Engineering In Social
Networking Sites: How Good Becomes Evil. Retrieved from

D. (2015). 5 Social Engineering Attacks to Watch Out For. Tripwire. Retrieved
from http://www.tripwire.com/state-of-security/security-awareness/5- social-engineering-attacks-to-watch-out-for/

Federal Bureau of
Investigation. (2009). Spear Phishers Angling to Steal
Your Financial Info. Retrieved from https://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109

M. & Simon, W. (2003). The Art of
Deception. Indianapolis: Wiley, 2002.

T. (2006). Social Engineering: Concepts
and Solutions, Information Systems Security

Cyber Security Centre (UK). An
introduction to social engineering. Retrieve from:

T. (2006). Social Engineering: Concepts
and Solutions, Information Systems Security     

Woodward, A. (2012). How hackers exploit ‘the seven deadly
sins’, BBC News. Retrieve from: