SecPoint Logo

Top 10 Techniques used in Social Engineering 

Top 10 Techniques used in Social Engineering 

This year, cyber security is an important topic. Hackers are everywhere looking for new ways to get into your system. They use the newest technologies to find their way into company networks with phishing emails or malicious websites. But most of them use social engineering techniques - especially "old school" but very effective ones.

Social Engineering involves manipulating people so that they give up confidential information which is exactly what hackers are doing over and over again.

Social engineering can also happen in person at a business or even when you're just walking down the street. Think someone is trying to look like a vendor who wants to enter your office? They could be collecting information on your employees or looking for a way to access your server room. Maybe there's a person who looks like a delivery man coming to deliver a package - but he is really trying to steal information from the receptionist.

Here are some ways that a social engineer can get you to give away confidential information:

Number 1: Emails

Phishing emails are one of the most common ways to trick users into giving away private information like passwords or credit card numbers. You receive an email that looks like it comes from one of your business partners - maybe even your CEO! It includes a mail attachment that appears harmless but it is actually a virus. Now the hacker has access to your entire network!

Number 2: Visiting a website that looks legit

This technique consists of tricking users into visiting a website that looks legit but was actually created by hackers. One example are so-called "drive-by downloads" where if you visit an infected website, malware will be downloaded on your computer without your knowledge. Once this happens, the hacker can see everything on your screen and even control your webcam or microphone!

Number 3: Social networks

One more way to trick users into giving up their log-in information is phishing on social networks like Facebook or Twitter. Hackers set up fake accounts with similar names to popular businesses - maybe even yours! They post messages on these profiles asking for logins and passwords. As users are used to following these accounts, they will fall right into the trap!

Number 4: Phishing

This technique consists of tricking someone so that they go somewhere on the internet without knowing where they really are. A hacker may send you an email stating that there is a problem with your account or credit card and giving you a link to click on. When you do it, even though it looks like Google's homepage, you're actually visiting a website created by hackers! This is called phishing.

Number 5: Fake pop-ups

Using fake popups - or "pop-unders" as they are called - is another way of stealing log-in information. You think you've closed all windows but in fact, there is a small one in the bottom right corner. When you close your browser, this window stays active and logs all keystrokes - including passwords! And so the hacker gets your login credentials.

Number 6: BEC attack

In a typical BEC attack (Business Email Compromise), users receive an email from someone pretending to be a business partner or customer asking for urgent help with financial issues. For example, they ask for bank accounts to transfer money into them. Once the user sends the details over, hackers will access their bank account and sell off any assets that might be there! This is why it's so important to talk to your business partners on the phone before sending them sensitive information.

Number 7: Disguise

Disguising yourself as a courier or delivery man is another trick used by hackers. They try to get into the office by posing as a delivery person and ask staff to sign for a parcel - which is actually their laptop! With this technique, they can find out if nobody is watching before stealing data from computers or installing software that will give them access to your entire network.

Number 8: USB tricks

This sneaky trick involves using images on a USB memory stick with logos of a big company you trust like Microsoft or Apple. If an employee sticks it in their computer without realizing it, they put the whole company at risk! This is because hackers have set up hidden cameras nearby and automatically transfer all photos of monitors onto their memory stick! Now they know what's going on inside your office.

Number 9: Suspicious activity

Hackers can use a USB device filled with malware and infect computers. But they also like to create their own fake website that looks like your company's intranet. When someone within the company tries to access it, their computer will be infected and hackers will have access to everything on it - including files, passwords and other sensitive information! It is important to tell employees why not all websites should be trusted and always double-check if you see any suspicious activity.

Number 10: Hacking

This last trick is probably one of the most dangerous because it could affect so many users at once. Hackers hijack servers to send out massive amounts of spam emails at the same time making them look as though they actually come from a business. This is why it's vital to keep your systems protected and make sure you don't open any suspicious emails.

Extra Trick 11:

Hackers use text messages in social engineering campaigns that target specific contacts at once. Once you open a message from someone you trust (a business partner or customer), you will download a file that contains hidden malicious software. This software can connect your device to hackers' servers and allow them unlimited access - including any files and passwords! It's always important to think before you click.

 

With these ten pieces of advice, you should be able to protect yourself against social engineering attempts! But there are many other ways hackers can trick you - which is why we recommend having a cyber security solution in place. After all, prevention really is better than cure!

Social Engineering Full Guide Explained

How to protect from social engineering attacks

Some hackers that destroy people's lives, entire hard drivers are called crackers and or vandals.

Some other novice newbie hackers or crackers will simple download some hacker tools and without any knowledge run them
also referred to as script kiddies.

How Protect your organisation from Social Engineering attacks.
It is important to educate your entire staff in the organisation.

Identify all incoming communications channels.

Social Engineering is also known as People Hacking.

This could be:

  • Emails
  • Phone calls
  • Live chat Calls
  • People at the desk
  • Skype


It is important to educate your staff on which information is allowed to be given out.

Malicious black hat attackers might deploy social engineering techniques and simple
call your organisation and pretend they call from a specific company to obtain sensitive information.
They could be calling identifying they are a calling from the bank, internet provider, some of the companies business partners and this way try to phis sensitive information.

It is recommended to have a clear policy to never give out sensitive information such as:

  • Merchant ID numbers
  • Passwords
  • Usernames
  • Emails
  • Credit card information.
  • Bank account information.
  • Or any other data sensitive to your organisation.


If anyone is calling asking for sensitive data always call back on the official number rafter it has been verified and confirmed their identify.

Another popular technique is for the attacker to call up and ask for non sensitive data.
Simple to build trust. After that they can ask sensitive data and obtain it more easily.
Be vigilant for anyone calling asking for non sensitive data

Common roles a social engineer attacker can play when calling
Being an author asking for information for a book or movie
Being a support engineer asking for password information to reset the account.
Being a technician from the phone company asking sensitive data.
Being a movie director
Being a talent spider
Calling for a Survey
Calling as a lost employee looking for information
Someone that sounds as an insider to the company but ask quite a lot of information

When an attacker needs to obtain sensitive physical papers or items they will make a MAIL DROP.
This is a social engineer's term for renting a mailbox in a fake name

It is recommended to never give out any personal or internal company information, identifiers to anyone.

The best way to prevent social engineering attacks is by educating employees and make them aware of handle non public information.

Deploying a data policy

It is recommended to implement a policy prohibiting giving out internal phone numbers, emails or other contact information of specific employees, contractors, consultants to any outsider.


Two techniques often used in Social Engineering attacks.

First attack is simple for the Social Engineer to ask straight forward for the sensitive information.
The straight forward attack works more often than anyone will be believe.
This could be just calling up ask for a persons specific phone number.
The more the attacker using the companies own lingo the higher the success rate.

The second attack type would to ask more non sensitive questions first. And once trust is build up asking for more sensitive information.

One of the more popular tricks for social engineers when calling state organisations or larger corporations is to call as a survey.
They can call pretending they are doing a survey and start by asking low level questions to gain trust.
When doing a Savy the attacker can sometimes be lucky to bypass companies standard security checks.

Dumpster diving and paper trail
Many are fooled to believe companies are paperless.
In reality companies print out large amount of paper containing sensitive information on a daily basis.

It is recommended for companies to have a policy on shredding all paper with sensitive information before it gets thrown out.
In reality this might not always happen due to human error.

Anti Social Engineering Measures

  • Never clicks on any incoming links on SMS, Social Messaging such as WhatsApp, Messenger or Telegram that you are not expecting
  • Never clicks on email that you are not expecting
  • Use 2 Factor authentication on any login platform you use
  • Never share your physical location on any internet services or doing any public check ins
  • Never put pictures online that can identify where you are at
  • Never give out information when meeting other humans in person
  • Never share your WiFi Network passwords
  • Never use public WiFi without VPN protection
  • Keep all your software up to date
  • Be very carefully when downloading any program from the internet and execute on your computer
  • Block streaming apps or meetings apps from recording sensitive information such as ZOOM , Skype.