Social Engineering

Social engineering is one of the most common and effective forms of cyber attack. Rather than exploiting weaknesses in software or hardware, social engineering targets people — manipulating them into revealing confidential information, clicking malicious links or performing actions that compromise security.

---

Why Social Engineering Works

Humans are often described as the weakest link in cyber security. Even the most sophisticated technical defences can be bypassed if an attacker convinces an employee to hand over their password. Social engineering exploits natural human tendencies such as:

• Trust — we tend to believe people who appear to be in authority
• Helpfulness — we want to assist colleagues and customers
• Fear — we react quickly to urgent warnings ("Your account will be closed!")
• Curiosity — we are tempted to click on interesting links or open unexpected files

Exam Tip: When an exam question asks why social engineering is effective, focus on the human factors. Technical defences like firewalls and encryption cannot prevent a person from voluntarily giving away their password.

---

Phishing

Phishing is the most widespread social engineering attack. The attacker sends a fraudulent message — usually an email — that appears to come from a trusted source (a bank, a delivery company, a social media platform). The message urges the victim to:

• Click a link to a fake website that looks identical to the real one
• Enter personal details such as usernames, passwords or credit card numbers
• Download an infected attachment

How to Spot a Phishing Email

Warning Sign	Example
Generic greeting	"Dear Customer" instead of your real name
Urgent language	"Your account will be suspended in 24 hours"
Suspicious sender address	support@amaz0n-security.com (note the zero)
Spelling and grammar errors	"Pleese verify you're informations"
Unexpected attachment	An invoice you were not expecting
Mismatched URL	Hovering over the link reveals a different domain

Spear Phishing

Spear phishing is a targeted version of phishing aimed at a specific individual. The attacker researches the victim (using social media, company websites, etc.) and crafts a personalised message. Because the email mentions the victim's name, job title or recent activities, it is far more convincing.

Example: An attacker discovers from LinkedIn that a finance manager has just returned from a conference. They send an email: "Hi Sarah, great to meet you at the Cyber Security Summit last week. Here are the slides I promised — please see attached."

Whaling

Whaling targets senior executives (the "big fish"). Because executives have access to sensitive data and the authority to approve large transactions, a successful whaling attack can be extremely damaging.

---

Pharming

Pharming redirects users from a legitimate website to a fraudulent one without the victim clicking a malicious link. This is achieved by:

1. DNS poisoning — corrupting the DNS server so that a legitimate domain name (e.g. www.mybank.com) resolves to the IP address of a fake website
2. Host file modification — changing the local hosts file on the victim's computer to redirect specific domains

Because the user types the correct web address, pharming is harder to detect than phishing.

---

Pretexting

In a pretexting attack, the attacker creates a fabricated scenario (a "pretext") to gain the victim's trust and extract information. The attacker often impersonates someone in authority.

Example: An attacker phones a company's IT helpdesk, pretending to be a senior manager: "This is James from the executive team. I'm locked out of my account and I'm about to present to the board. Can you reset my password immediately?"

The combination of authority, urgency and a plausible story makes pretexting highly effective.

---

Baiting

Baiting tempts the victim with something appealing. The attacker leaves a physical device (such as a USB drive) or offers a free download that contains malware.

Example: An attacker leaves a USB drive labelled "Staff Bonuses Q4" in a company car park. A curious employee picks it up and plugs it into their work computer, unknowingly installing malware.

---

Shoulder Surfing (Shouldering)

Shoulder surfing involves an attacker watching the victim enter sensitive information — such as a PIN, password or security code — by looking over their shoulder.

This can happen:

• At a cash machine (ATM)
• In a coffee shop when logging into a laptop
• On a train when using a smartphone

Defences Against Shoulder Surfing

• Privacy screen filters on laptops (make the screen unreadable from the side)
• Shielding the keypad when entering a PIN
• Using biometric authentication (fingerprint or face) instead of visible PINs
• Being aware of your surroundings in public spaces

---

Tailgating

Tailgating (or "piggybacking") occurs when an unauthorised person follows an authorised person through a secure door or entry point. For example, an attacker carrying a heavy box asks an employee to hold the door open — the employee complies out of politeness.

Defences Against Tailgating

• Turnstiles or mantraps that only allow one person through at a time
• Security guards checking ID badges
• Staff training to challenge anyone without visible identification

---

Defending Against Social Engineering

The single most effective defence against social engineering is user education and security awareness training. Staff should be trained to:

• Recognise phishing emails and report them
• Never share passwords, even with people who claim to be from IT
• Verify the identity of callers before giving out information
• Be cautious with USB drives and unexpected attachments
• Challenge unfamiliar people in secure areas

Technical measures that support this include:

Measure	What It Does
Email filtering	Blocks known phishing emails before they reach users
Two-factor authentication (2FA)	Even if a password is stolen, the attacker needs a second factor
Anti-malware software	Detects malicious attachments
Website blocklists	Prevents access to known malicious domains
Simulated phishing campaigns	Tests staff awareness with fake phishing emails

---

Key Terms Summary