Social engineering is a combination of psychological and physical techniques that have as ultimate goal stealing information or assets.
Think of it as a technique that someone will use that will leverage mostly the people part rather than technological. Of course, Social engineering can use both but leverages more astute mind psychological tricks. We forget that Social engineering is in our DNA, and some know how to use it better. Remember when you where a kid and your mom would not give you a cookie, but if you asked your father chances where that you would receive one? Well, it meant that you knew house vulnerabilities and you exploited them, with a smart psychological way.
To do just that you went through different phases:
- Information Gathering
- Establish Relationship
In the first phase, the person will look into all known ways to find as much information as possible.
You will use different OSINT techniques like searching social media, web pages, open cameras, and more. But you also might want to get close to the person/building take picture analyze paths entrances people and similar.
Establish Relationship is the moment that you approach your target and start to build a relationship. Such contact can take months, days, hour, or minutes, depending on the attack. You can see this moment like the one you lower the defenses of the target so the next phase will have more success. You can do it by creating empathy, a stressful situation, or similar.
Once you gather the necessary information, you will make contact. In can be direct, via phone, SMS, forged linked in profiles or such. The connection is the moment that knowing your target, and you will use the appropriate psychological or technological technique.
In the last phase, the attacker receives the information it needs and will make sure that he leaves no or a false trail. It is essential to make sure that the target feels well to ensure that the attack will never be discovered or as late as possible.
There are many different ways you can do Social engineering, but you can cluster them in psychological and more technological techniques.
A false justification for your needs.
Baiting A way to lure the victim to perform a task that seems innocuous, but that has huge gains for the attacker.
Quid pro quo
When you create an agreement with the victim, if they perform something, the attacker will give something back that the victim likes.
Following the person into a restrictive area.
For the below topics, there are separate pages with information on how they work and how to protect yourself.
How to protect yourself
Since Social engineering is a vast combination of attacks, the protective measures are equally broad.
But there are some similarities that you can use.
A Social engendering attack is a cycle. Information gathering, establishing relation, exploitation execution.
If the attacker can do this, then you can do it for yourself:
- Information gathering:
Asks yourself where do you work, what is your position what is your Work weak points or what are yours.
For example, I work at the reception, and if I am not in place someone could pass trough, I eat outside in the street with my badge visible for everyone. I post lots of pics on social media? Can all of these actions can be exploited? Yes, all! So reduce them.
From a personal perspective, what Triggers your emotions? Kids? Movies, Comix? Is this information available online? Like pictures on social media, links to wishlists? Start reducing those data points too.
- Establishing contact
Be on your toes if someone that you do not know contacts you. From phone, mail, social media friend, be aware that a new connection can potentially be dangerous. It’s not that you have to stop trusting anyone, but start to be vigilant. Be suspicious if someone that you just met knows so much about you, be also vigilant if someone is asking of favor, or one time favor. Be wary if someone is asking for a too good to be real exchange.
Please always take such graph with a pinch of salt.
Such visualizations should make you think, and put things in context rather than show a universal truth.