What Attacks Are Used in Social Engineering?

Social engineering is a method of unauthorized access to information or information storage systems without using technical means. This method exploits human weaknesses and is considered highly destructive. According to BugTrag.ru, social engineering is a term used by hackers to describe gaining unauthorized access to information by tricking people, rather than hacking software. The goal is to deceive people into giving up passwords or other information that can compromise system security. Classic examples include calling an organization to identify those with access, then calling an administrator while pretending to be an employee with an urgent access issue.

Social engineering is widely used, especially for “delicate” tasks like document theft. It has roots in psychology and is now a specialized field, taught to spies and secret agents—anyone whose job involves covert infiltration and covering their tracks. Human nature leads us to make conclusions and analyze, but how often are those conclusions truly our own? The most interesting part is that the victim rarely notices anything is wrong, believing their decisions are their own. Subtle manipulation of consciousness has existed throughout history, even in ancient times. For example, medieval Japanese ninjas practiced these psychological skills alongside hypnosis. Hackers and cybercriminals also use these methods, though it’s more complicated since the attacker rarely has direct physical contact with the victim. Spammers also use social engineering to persuade users to buy products.

Many say you shouldn’t trust anyone. That’s not entirely true: you can and should trust, but you must also verify, and verification can be complex. We’ll discuss this further below. For now, let’s define the goals of attackers.

Goals of Social Engineering

The goals can vary, but the main objective is always the same: stealing information. Social engineers aim to quietly obtain information, usually by making a copy. They can then do anything with it—sell it, resell it, or blackmail the original owner. Statistics show that most sophisticated attacks are commissioned by competing organizations.

Methods and Types of Attacks

Social engineering isn’t just about psychological manipulation; it also involves exploiting human psychology. Here are the most common types of attacks:

Human Denial of Service (HDoS)

This term is similar to DoS (Denial of Service), but instead of servers, it targets people. The goal is to make someone (without their awareness) ignore certain situations. For example, making every word you say accepted as truth without question. Distraction is also a form of this attack—while the victim is focused on one thing, the attacker does something else unnoticed. These attacks are complex, requiring a deep understanding of the victim’s psychology, knowledge, and reactions. For instance, simulating an attack on a server port can distract an administrator, allowing the attacker to access the server. However, if the admin knows there are no vulnerabilities on that port, the intrusion will be detected immediately. That’s why it’s crucial to assess the admin’s level of knowledge.

Technical Social Engineering

These attacks don’t involve a direct “victim” or “influence.” Instead, they exploit social stereotypes and principles. For example: “If there are cameras, no one will break in,” or “The bigger the organization, the more secure it must be.” Many believe that a security company’s website can’t be hacked, but that’s not true—anything can be hacked. This method is also known as situational analysis, where the attacker looks for alternative ways in when the standard approach doesn’t work.

Phone Calls

This involves direct voice contact. The attacker calls the victim and uses carefully crafted speech to mislead them. This works best when the attacker pretends to be someone the victim doesn’t know, using an authoritative and stern tone. The victim’s “authority” response kicks in, making them polite and willing to share information. This is especially effective in large companies where employees don’t know each other well. In smaller companies, it’s harder to blend in, so the attacker may impersonate a manager, claiming to check the security system and asking for passwords or usernames. Another method is using a voice changer to imitate someone else’s voice.

In-Person Visual Contact

This is the most challenging method, requiring professional psychologists or specially trained individuals. The attacker must find a “gateway” to the victim, often identified by analyzing their questions or behavior. By staying within these “gateways” during conversation, the attacker becomes likable, and the victim may share sensitive information without realizing its importance. Unlike voice, it’s much harder to fake facial expressions, skin color changes (from nervousness), or pupil reactions.

Email

Email is the most common “work channel” for social engineering. However, it’s challenging to convincingly impersonate someone the victim knows, as the attacker must accurately mimic the writing style. It’s easier when the victim doesn’t know the sender. The attacker must also forge the email header, which can be done with standard email clients or manually using a telnet client to connect to the mail server’s port 25. The “Received” line usually shows the sender’s address. There are also remailer services that hide headers, but manual editing is more effective.

Instant Messaging Systems

Programs like ICQ are also used for social engineering. Many tools can send messages on behalf of another user or craft messages with specific content to manipulate the victim.

Attacker Preparation

Attackers must have a good understanding of psychology. There are three main stages in preparing such an attack:

1. Identifying the exact target and its location.
2. Gathering information about the target (the victim).
3. Developing an action plan and mental preparation/training.

1. Identifying the Exact Target and Its Location

The key to a successful operation is knowing exactly what you’re after and where it’s located. Think of heist movies—serious plans are made, and the target is clearly defined. If attackers don’t know where the valuables are, they waste time searching. Similarly, a social engineer first determines what kind of information they want. If this is clear, the operation is quick: by deceiving the victim, they gain access and copy the needed data. Knowing the exact location of the information allows for a fast operation, making it less likely to be detected as unauthorized access.

2. Gathering Information About the Target

This is perhaps the most important step. Before writing an email, making a call, or meeting the victim, the attacker studies them to understand their character, vulnerabilities, habits, etc. For example, inviting the victim to their favorite restaurant can build rapport. Sometimes, the attacker also studies the person they plan to impersonate, which extends the preparation time but increases the chances of success. Information can come from analyzing network traffic, emails, even receipts (to learn what the victim buys, how often, and how much they spend). Attackers may also observe the target for hours, gathering valuable insights. Specially trained agents can minimize the time needed for information gathering, making quick deductions from small details.

3. Developing an Action Plan and Mental Preparation

This is where the art of social engineering shines. Many amateurs simply copy textbook examples and adapt them, but true professionals tailor every word, look, and gesture to the specific victim, since everyone reacts differently. One person might laugh at a joke, while another might take offense. At this stage, a huge amount of psychological work is done, matching every word to the victim’s psychological profile.

Access Levels

As with other attacks, social engineering attacks are classified by the level of access achieved. This depends on the attacker’s preparation and the victim’s role. For example, if you obtain a regular user’s password, you’ll only have user rights, regardless of your skills. If you’re poorly prepared, you might not get any access at all. There are four main access levels, listed in descending order of privileges:

1. Administrator
2. Manager
3. User
4. Acquaintance

That’s how psychological attacks are carried out. This article covers only a small part of what can be said about social engineering. Mastering the art of manipulating people without their awareness is extremely difficult and requires attention to every detail. Let psychologists and professionals handle the finer points.