To understand what social engineering tactics are, you need to research what has been used in the past. All the details are in a comprehensive article on the subject (link to a comprehensive article on the topic), but let's look at three social engineering techniques that are currently separate from tech platforms where scammers are significantly successful.
Social Engineering Attacks
Social Engineering Attacks

Offer Something Sweet

Any scammer will tell you that the easiest way to defraud a brand is to take advantage of their own greed. This is the basis of the classic Nigerian 419 scam, where the scammer tries to persuade the victim to help him get allegedly ill-gotten (illegal) money from his home country to the safe bank and offers some of his funds in return. This "Nigerian Prince" email joke has been going on for decades, and it's still an effective method of social engineering people believe in. In 2007, the chief financial officer in a sparsely populated place in Michigan gave a swindler $1.2 million in public funds to make money personally. Another common trick is the prospect of a new and better job, something many of us apparently want: in an extremely embarrassing 2011 breach, security firm RSA.
Fake until you do. One of the easiest and most surprisingly successful social engineering techniques is simply to pretend to be your victim. In Kevin Mitnick's previous legendary scams, he accessed Digital Equipment Corporation's OS development servers simply by calling the company and claiming that he was one of its leading developers, saying he had trouble logging in; he was immediately rewarded with a new username and password. This all happened in 1979, and you think things have improved since then, but you're wrong: in 2016, a hacker took control of a U.S. Department of Justice email address and used it to impersonate an employee, using a Help Desk to access the DoJ intranet. He persuaded him to hand over the token and said it was his first week at work and didn't know how anything worked. Many companies have inhibitions for such brazen imitation, but they can often be defeated fairly easily. When Hewlett-Packard hired private detectives in 2005 to find out which HP Board members leaked information to the press, they obtained PIS the last four digits of their target's social security number, which is proof of identity before AT & T's technical support handed over the detailed search logs. was accepted as.
Act as if you are in control. Most of us tend to respect authority, or we tend to respect those who seem to have authority in what they do. You can use information about a company's internal processes to convince people that you have a right to be here or that you have the right to see things you shouldn't see, or that communication from you is coming from someone they truly respect. As an example, in 2015, finance employees at Ubiquiti Networks transferred millions of dollars of corporate money to fraudsters who impersonated corporate executives, possibly using a similar URL in their email address. From a less technical standpoint, researchers working for British magazines in the late '00s and early 10s found ways to access victims' voicemail accounts by pretending to be other employees of the telephone company; for example. A PI convinced Vodafone to reset actress Sienna Miller's voicemail PIN and claimed it was "John from credit check". Sometimes it is external authorities that we obey their demands without thinking too much. Hillary Clinton campaign honcho John Podesta sent a phishing email disguised as a note from his email was hacked by Russian spies in 2016 asking Google to reset his password. Thinking that he would secure his account, he took precautions, in fact, he had given his own login credentials.

Social Engineering Preventions

Safety awareness education is the number one way to prevent social engineering. Employees must be aware that social engineering exists and be familiar with the most commonly used tactics. Fortunately, social engineering consciousness lends itself to storytelling. And stories are much easier and much more interesting than explaining technical elements. Tests and grabbing or humorous posters are also an effective reminder not to assume that it is what everyone says. However, social engineering isn't just the average employee to be aware of. Senior leaders and managers are also primary goals in the enterprise.

5 Tips for Defending against Social Engineering

CSO author Dan Lohrmann gives the following advice:

  • Train yourself over and over when it comes to security awareness. Make sure you have comprehensive security awareness, regularly updated training programs to address both common phishing threats, and new targeted cyber threats. Remember, it's not just about clicking links.
  • Provide key personnel with a detailed briefing "roadmap" on the latest online fraud techniques. Yes, be sure to include anyone, including senior executives, but who has the authority to make wire transfers or other financial transactions. Remember, many true fraud stories occur with lower-level staff who believe a manager wants them to take immediate action, often bypassing normal procedures and/or controls.
  • Review existing processes, procedures, and separation of duties for financial transfers and other significant transactions. Add extra controls as needed. Keep in mind that segregation of duties and other protections could at some point be compromised by threats from within. Therefore, risk reviews may need to be reconsidered given the escalating threats.
  • Consider new policies regarding “out of band” transactions or urgent manager requests. An email from the CEO's Gmail account should automatically remove red to staff, but understand the latest techniques employed by the dark side of social engineering. You need effective emergency procedures that are well understood by all.
  • Review, refine, and test your incident management and phishing reporting systems. Conduct desktop tests regularly with management and key personnel. Test controls and reverse engineer potential vulnerabilities.

Social Engineering Tools

Some vendors offer tools and services to assist with conducting social engineering exercises and/or raise awareness to employees through posters and tools such as newsletters. Don't forget to also check the Social Engineering Tools page of the site, which is free to download. Helps automate penetration testing through social engineering with this tool. Another good resource is the Social Engineering System. Currently, the best defense against social engineering attacks is to train users and build a technological defense layer to better detect attacks. Keyword detection in emails or phone calls can be used to weed out potential attacks, but even these technologies will be ineffective in stopping skilled social engineers.