Social Engineering

Social engineering is a technique used by cybercriminals to deceive individuals into divulging confidential information or performing actions that may be detrimental to their own interests or that of their organization. It is a non-technical method of breaching security, relying on the human element rather than exploiting technical vulnerabilities.

Social engineering can take different forms, such as phishing emails or phone calls, pretexting (fabricating a scenario to gain access to sensitive information), baiting (leaving a tempting item, such as a USB drive, in a public place to entice someone to use it), or tailgating (following an authorized person into a secure area).

What is the purpose of social engineering?

The purpose of social engineering is to manipulate individuals into divulging sensitive information, performing actions, or providing access to systems or physical locations that would otherwise be difficult or impossible to obtain through technical means. The information obtained through social engineering can be used for various malicious purposes, such as identity theft, fraud, espionage, or sabotage.

Social engineering attacks can be highly effective because they exploit human weaknesses, such as trust, curiosity, fear, or authority. Social engineers often use sophisticated tactics to create a sense of urgency or legitimacy to their requests, making it challenging for the victim to identify the attack.

The goal of social engineering attacks may vary depending on the attacker's motives and objectives. Some attackers may seek to steal financial or personal data to commit fraud or sell it on the black market. Others may target intellectual property, trade secrets, or confidential business information to gain a competitive advantage or sell it to rival companies. State-sponsored actors may use social engineering to conduct espionage or sabotage operations, while hacktivists may use it to promote their political or ideological agenda.


What is advanced social engineering?

Advanced social engineering refers to sophisticated and targeted social engineering attacks that use multiple techniques and leverage extensive research and reconnaissance to achieve their objectives. Unlike opportunistic or random attacks, advanced social engineering attacks are carefully planned and tailored to the specific characteristics and vulnerabilities of the target organization or individual.

Advanced social engineering attacks often involve multiple phases, such as information gathering, profiling, pretexting, baiting, and follow-up, and may use a combination of technical and non-technical methods to deceive and manipulate the victim. For example, an attacker may use spear phishing emails that contain personalized and relevant information to increase the likelihood of the victim falling for the scam. They may also use social media, open source intelligence, or social engineering testing to gather intelligence about the target's behavior, preferences, or vulnerabilities.

Advanced social engineering attacks can be very difficult to detect and prevent, as they often use sophisticated and novel techniques that bypass traditional security controls, such as firewalls, antivirus software, or intrusion detection systems. They also rely on the human element, which is harder to secure and control than technology.

What are the different types of social engineering?

There are several types of social engineering attacks, each with its own characteristics, goals, and techniques. Here are some examples:

  • Phishing is a type of social engineering attack that uses email, instant messaging, or other communication channels to trick victims into clicking on a link or opening an attachment that contains malware or a fraudulent website that looks like a legitimate one. The goal of phishing is to steal sensitive information, such as usernames, passwords, or credit card numbers, or to install malware that can take control of the victim's device or steal data.
  • Spear phishing is a more targeted form of phishing that uses personal information or social engineering techniques to make the message appear more credible and increase the likelihood of the victim falling for the scam. Spear phishing may target specific individuals or organizations and use information gathered from social media, job postings, or other sources to create a sense of familiarity or trust.
  • Baiting is a type of social engineering attack that involves leaving a tempting object, such as a USB drive, in a public place to entice a victim to use it. The USB drive may contain malware or a backdoor that allows the attacker to gain access to the victim's computer or network.
  • Pretexting is a type of social engineering attack that involves creating a false scenario or pretext to gain the victim's trust or sympathy. For example, an attacker may pose as a customer support agent or a law enforcement officer to convince the victim to provide sensitive information.
  • Tailgating is a physical social engineering technique that involves following an authorized person into a restricted area without authorization. The attacker may pretend to be a legitimate visitor or employee, or they may use distraction techniques to sneak in undetected.
  • A watering hole attack is a social engineering technique that involves compromising a legitimate website or online community that is frequently visited by the target audience. The attacker then uses the compromised site to distribute malware or steal sensitive data from the visitors.
  • Scareware is a social engineering technique that involves using fake security alerts or pop-ups to convince the victim that their device is infected with malware or at risk of being hacked. The victim is then directed to download or purchase software that claims to fix the problem but actually installs malware or steals data.
  • Mailbox exfiltration also known as email exfiltration or email theft, refers to the unauthorized access and extraction of emails and related data from a target's mailbox or email account. Once the attacker has gained access to the mailbox, they can exfiltrate emails and other data, such as contacts, attachments, or calendar entries, to their own servers or storage devices. The stolen data can then be used for a variety of purposes, such as identity theft, financial fraud, corporate espionage, or blackmail.

What are the 6 principles of social engineering according to Cialdini?

Dr. Robert Cialdini, a social psychologist, identified six principles of social engineering in his book "Influence: The Psychology of Persuasion." These principles are commonly used in social engineering attacks to influence or manipulate individuals into disclosing sensitive information, performing an action, or making a decision. Here are the six principles:

  1. Reciprocity: People are more likely to comply with a request if they feel they owe something in return. Attackers may use this principle by offering a small gift or favor to the victim before making a larger request.
  2. Authority: People are more likely to comply with requests from those in positions of authority or expertise. Attackers may pose as a figure of authority, such as a senior executive or a law enforcement officer, to gain the victim's trust and compliance.
  3. Consistency: People prefer to be consistent in their beliefs and actions over time. Attackers may use this principle by asking for small commitments or agreements that lead to larger ones over time, creating a sense of commitment and obligation in the victim.
  4. Social proof: People are more likely to comply with requests if they see others doing the same thing. Attackers may use this principle by creating a sense of urgency or scarcity around an offer, making the victim feel that others are already taking advantage of it.
  5. Liking: People are more likely to comply with requests from those they like or respect. Attackers may use this principle by creating a sense of familiarity or rapport with the victim, using flattery or compliments, or finding common interests.
  6. Scarcity: People perceive things that are scarce or rare as more valuable and desirable. Attackers may use this principle by creating a sense of urgency or scarcity around an offer, making the victim feel that they must act quickly or miss out on an opportunity.

Understanding these principles can help individuals and organizations recognize and defend against social engineering attacks by being aware of the tactics used by attackers and by being vigilant and skeptical of unsolicited requests or offers.


Are social engineering attackers only online?

No, social engineering attacks can happen both online and offline. While many social engineering attacks are conducted online, attackers can also use in-person techniques to gain access to sensitive information or systems. For example, an attacker might pose as a delivery person, a repair technician, or an employee of a company and use that guise to gain physical access to a building or system. Once inside, the attacker can use a variety of tactics, such as impersonation or deception, to trick employees into revealing passwords or other sensitive information.

Where can social engineering occur?

Social engineering can occur in a variety of contexts and locations, both online and offline. Here are some examples:

  • Email: Attackers can use email messages to trick victims into revealing sensitive information or clicking on malicious links. This is known as phishing or spear-phishing.
  • Social media: Attackers can use social media sites to gather information about their victims and use that information to craft more convincing social engineering attacks.
  • Phone: Attackers can use phone calls to impersonate someone else, such as a company representative or a law enforcement officer, to gain access to sensitive information or persuade victims to take a particular action.
  • In person: Attackers can use physical techniques, such as impersonation or tailgating, to gain physical access to a building or system.
  • USB devices: Attackers can leave infected USB devices in public places, such as parking lots or coffee shops, in the hope that someone will pick them up and plug them into their computer.
  • Online advertisements: Attackers can use online advertisements to deliver malware or trick victims into revealing sensitive information.
  • Online surveys: Attackers can use online surveys to gather sensitive information about their victims, such as passwords or other personal information.

It's important for individuals and organizations to be aware of the different contexts and locations in which social engineering attacks can occur and take steps to protect themselves against these attacks.

What can an organisation do to defend against social engineering?

Defending against social engineering attacks requires a multi-faceted approach that involves technical controls, security policies, and employee training. Here are some strategies and best practices that organizations can implement to defend against social engineering attacks:

Conduct security awareness training: Educate employees about the risks and tactics of social engineering attacks, and teach them how to recognize and respond to suspicious emails, phone calls, or requests. Provide regular training and reinforcement to keep employees up-to-date on the latest threats. Tailor the training program to different roles and job functions, as employees in different roles may have different security responsibilities and risks.

Click here to explore our cyber security courses!

Implement strong authentication and access controls: Require strong passwords and multi-factor authentication to protect against unauthorized access to sensitive systems and data. Implement least privilege access controls to limit access to only those who need it.

Regularly update software and security controls: Keep software and systems up-to-date with the latest security patches and updates, and regularly review and update security controls such as firewalls, intrusion detection/prevention systems, and anti-malware tools.

Monitor for unusual activity: Use security monitoring tools to detect and alert on unusual activity, such as multiple failed login attempts, unusual access patterns, or data exfiltration attempts.

Perform regular security assessments: Conduct regular security assessments, such as penetration testing or social engineering tests, to identify vulnerabilities and weaknesses in security controls and processes.

Establish security policies and procedures: Develop and enforce security policies and procedures, such as incident response plans, data handling policies, and security awareness training requirements.

Verify requests and information: Implement processes to verify the authenticity of requests and information, such as calling back a known number or email address to confirm the request.

Perform background checks: Conduct background checks on employees, contractors, and third-party vendors to ensure that they do not have a history of malicious activity. Establish policies and procedures for onboarding and offboarding employees, contractors, and vendors, and ensure that access to systems and data is granted and revoked in a timely manner.

By following these practical tips and advice, organizations can establish a strong defense against social engineering attacks and protect their systems and data from unauthorized access or theft.

Advanced Social Engineering Training

Bilginç IT Academy offers an unique course to help organizations fight against social engineering attacks. Our Advanced Social Engineering course provides a unique insight into both their own ethical social engineering assessments and malicious social engineering in the wild. In this 1-day training, we will apply knowledge to a corporate scenario and give security personnel the skills needed to implement a good level of social engineering defence within organisations.

Click here to explore the course outline and upcoming dates. Also, we can host this training at your preferred location. Please contact us for booking options. 

Remember, to prevent social engineering attacks, it is essential to raise awareness, provide security training, and establish policies and procedures that reduce the risk of human error or malicious intent. It is also crucial to verify the identity and legitimacy of any request for information or access, and to maintain a healthy skepticism towards unsolicited messages or unusual requests. 


Contact us for more detail about our trainings and for all other enquiries!

We can explain Cybersecurity as the protection of the security, integrity, and confidentiality of the communication we have established with individuals or institutions in electronic media. Cybersecurity is designed to protect information and communication systems, networks, programs, devices, and data against attacks those who want to damage and steal information. These technologies consist of various processes and controls. You can get more information about Cybersecurity certification by visiting our website and you can take a look at our Cybersecurity courses.
Firms, governments, and organizations from all industries, small or large, are faced with cyber threats, as hackers become more knowledgeable and companies have Cybersecurity vulnerabilities. Companies that do not make the necessary investments in Cybersecurity may encounter both information and financial losses due to cyber-attacks. One of the biggest reasons for this is that many companies are still using old technologies and they are building their new technologies on old security systems. The fact that security systems are not updated and old technologies are used make it easier for internet hackers.

Related Trainings

Latest Blogs

By using this website you agree to let us use cookies. For further information about our use of cookies, check out our Cookie Policy.