Social Engineering: Key Concepts

Information is one of the most valuable assets of any company. It can constitute a trade secret, which, under certain circumstances, can increase profits, prevent unnecessary expenses, maintain a market position, or bring other commercial benefits. Therefore, such information must be protected.

Since every company is made up of people, the human factor inevitably influences all organizational processes, including the protection of confidential information. The human factor refers to the psychological abilities of a person as a potential or actual source (or cause) of information security problems when using modern technologies.

Any actions by people that violate security protocols can be divided into two main categories: intentional and unintentional actions.

• Intentional actions include information theft by employees, modification, or destruction of information (sabotage). These are extreme cases that are usually dealt with after the fact, often involving law enforcement.
• Unintentional actions include loss of information carriers, accidental destruction or distortion of information, or inadvertently helping unauthorized individuals—this is where social engineering comes in. Here, the employee does not realize their actions are violating company policy, but the person requesting the action knows exactly what they are doing.

Social engineering is a method (or set of attacks) for unauthorized access to information or information systems without using technical means. It exploits human weaknesses and is highly effective. Attackers may gather information about employees, make phone calls pretending to be IT staff, or physically enter an organization posing as an employee. For example, an attacker might call a company employee (pretending to be tech support) and ask for a password, citing a need to fix a minor computer issue. This trick often works, with the attacker’s most powerful tools being a pleasant voice and acting skills. Names of employees can be learned through a series of calls or by studying company websites and public sources. Using real names in conversations with tech support, the attacker can spin a believable story to obtain sensitive information. Other methods include dumpster diving, stealing laptops or other data carriers, and more—especially when targeting a specific company.

Basic Social Engineering Model

Each employee has a certain level of security awareness and access. Frontline staff (like receptionists) usually don’t have access to critical information, so even if their accounts are compromised, the damage is limited. However, their data can be used to move up the chain within the organization. For example, an attacker can learn employee names and then call someone higher up, pretending to be a colleague. By asking innocent questions, they can piece together more information or move on to someone with greater access, exploiting the team’s culture of helpfulness. Even with strict policies, emotions can override caution.

Imagine an attacker calling the same call center employee several times a week for a month, always being friendly and positive, asking harmless questions, and occasionally requesting small favors. Frequent contact replaces strict authorization. After ten, twenty, or even thirty calls, the attacker becomes a familiar presence. On the 31st call, they make a small request involving sensitive data, providing a logical and believable reason. Most people will help without suspecting anything.

Even highly competent users can fall victim. For example, in the book “The Art of Deception,” Kevin Mitnick describes how he posed as a lead developer and convinced a system administrator—who knew exactly what he was doing—to provide privileged system access.

Main Social Engineering Methods

• Fake Links (Phishing)
  This attack involves sending an email with a tempting reason to visit a website, using a link that looks similar to a legitimate site (e.g., www.PayPai.com instead of PayPal). The fake site looks identical to the real one, and when the victim enters their credit card information, it goes straight to the attacker. A famous example is the 2003 eBay phishing scam, where thousands received emails claiming their accounts were blocked and needed credit card updates via a fake page. Losses were estimated at under a million dollars.
• Brand Impersonation
  These phishing schemes use fake emails or websites featuring the names of well-known companies. Messages may congratulate the recipient on winning a contest or urge them to urgently change their login details. Such scams can also occur over the phone, pretending to be tech support.
• Fake Offers and Curiosity Traps
  Victims receive offers that appeal to greed or curiosity, such as fake antivirus software (“scareware”) that generates false alerts and tries to lure users into fraudulent transactions. These can appear in emails, ads, social networks, search results, or pop-ups. Other examples include fake lottery wins or messages that appear to come from high-ranking company officials. In the movie Whoami, hackers send a malicious email from a supposed acquaintance with a cute cat photo to trick the victim.
• IVR or Phone Phishing (Vishing)
  Vishing uses phone communication, with attackers pretending to be bank employees or customers to extract confidential information or prompt certain actions. IVR-based attacks use pre-recorded voice messages to mimic official bank calls, asking victims to enter PINs or passwords. For example, a phishing email may direct the victim to call a fake “customer service” number, where an automated system asks for sensitive card details.
• Phone Phreaking
  Phone phreaking involves manipulating telephone systems using sound signals. Originating in the US in the late 1950s, enthusiasts discovered ways to make free calls, organize conferences, and manage phone networks by mimicking service tones.
• Pretexting
  In pretexting, the attacker pretends to be someone else and follows a prepared script to extract confidential information. This requires preparation, such as knowing the victim’s birthday, tax ID, passport number, or account digits to avoid suspicion. Usually done via phone or email. In the series Mr. Robot, a hacker calls a victim pretending to be a bank employee and extracts personal information, later used to brute-force the victim’s account.
• Quid Pro Quo
  This attack involves the attacker offering a service in exchange for information. Often, the attacker poses as tech support, claiming to fix a technical issue and instructs the victim to perform actions that allow the attacker to run commands or install software on the victim’s computer.
• “Road Apple” (Baiting)
  This method is a physical version of the Trojan horse. The attacker leaves “infected” media (like USB drives or CDs) in public places—bathrooms, parking lots, cafeterias, or the target’s workplace. The media is labeled to appear official or to spark curiosity (e.g., “Executive Payroll”). An employee may pick it up and insert it into a computer out of curiosity. In Mr. Robot, hackers scatter infected USB drives near a police station, and an officer plugs one in to see what’s on it.
• Open Source Intelligence (OSINT)
  Social engineering often requires gathering information about the target, and social networks are a goldmine. Sites like LiveJournal, Odnoklassniki, and VKontakte contain vast amounts of data people don’t bother to hide. For example, criminals learned the daily schedule and routes of Eugene Kaspersky’s son from his social media posts, which led to his kidnapping. Even with privacy settings, information can leak. A Brazilian security researcher showed it’s possible to become anyone’s Facebook friend within 24 hours using social engineering, gaining access to private information.
• Shoulder Surfing
  Shoulder surfing involves observing a victim’s personal information over their shoulder. This is common in public places like cafes, malls, airports, train stations, and public transport. A survey of IT professionals found that 85% had seen confidential information they weren’t supposed to, 82% said others could see their screens, and 82% doubted anyone in their organization would protect their screen from prying eyes.
• Reverse Social Engineering
  In reverse social engineering, the victim voluntarily provides the attacker with the information they need. People with authority in technical or social spheres often receive user IDs, passwords, and other sensitive data simply because no one doubts their integrity. For example, support staff should never ask for a user’s password, but many users offer it to speed up problem resolution. Sometimes, the attacker doesn’t even need to ask.

Examples:

• An attacker working with the victim changes a file name or moves it. When the victim notices the file is missing, the attacker offers to help. Wanting to resolve the issue quickly, the victim agrees and provides their login credentials. The attacker “reluctantly” agrees, restores the file, and steals the credentials in the process—possibly even improving their reputation and gaining more trust for future attacks.
• A hacker creates a minor problem for a user, ensures the user contacts them, and then carries out the attack. For example, the hacker poses as a janitor, replaces the tech support number on a posted list with their own, and causes a small issue. The next day, the user calls the “support” number, ready to share all necessary information with the “specialist.”
• In a hacking competition, a scenario involved a receptionist who stepped away for 30 seconds. The best solutions involved social interaction: putting a sticky note with a fake support number, inviting her on a date (to learn about company hierarchy and personal matters), and so on.

Conclusion

We’ve covered the main methods of social engineering. In the future, we’ll discuss each of these methods in more detail and even try them out in practice to see what happens!

Some information for this article was taken from Wikipedia and Habrahabr, and I have formatted and supplemented it with my own comments for your convenience.