Social Engineering Attacks

This lesson explores social engineering in detail, as required by OCR J277 Section 1.4. Social engineering is one of the most common and effective attack methods because it exploits human psychology rather than technical vulnerabilities.

---

What Is Social Engineering?

Social engineering is the manipulation of people into performing actions or revealing confidential information. Rather than hacking into a system directly, the attacker tricks a person into giving them access.

Social engineering is effective because:

• Humans are often the weakest link in security.
• People tend to trust authority figures and familiar brands.
• Attackers create a sense of urgency to prevent victims from thinking critically.

---

Phishing

Phishing is the most common form of social engineering. Attackers send emails or messages that appear to come from legitimate organisations to trick victims into:

• Clicking malicious links
• Downloading infected attachments
• Entering login credentials on fake websites
• Transferring money

Recognising phishing emails:

Warning Sign	Example
Generic greeting	"Dear Customer" instead of your name
Urgency or threats	"Your account will be closed in 24 hours"
Suspicious sender address	support@bank-security-verify.com
Spelling/grammar errors	"Plese verify you're acount"
Unexpected attachments	Invoice.pdf.exe
Mismatched URLs	Link text says "www.bank.com" but leads elsewhere

OCR Exam Tip: In the exam, you may be given an example email and asked to identify features that suggest it is a phishing attempt. Look for generic greetings, urgency, suspicious links, and poor grammar.

---

Pharming

Pharming redirects users from a legitimate website to a fraudulent one without their knowledge. Unlike phishing (where the victim clicks a link), pharming can affect users who type the correct web address into their browser.

How pharming works:

1. DNS poisoning — The attacker corrupts the DNS (Domain Name System) server so that a legitimate domain name resolves to the IP address of a malicious website.
2. Malware-based — Malware on the victim's computer modifies the local hosts file, redirecting specific domains to fake sites.

Feature	Phishing	Pharming
User action required	Click a link	None — redirect is automatic
Method	Fake email/message	DNS poisoning or malware
Harder to detect	Can spot suspicious links	User sees correct URL in browser

---

Shouldering (Shoulder Surfing)

Shouldering (also called shoulder surfing) is the practice of looking over someone's shoulder to obtain confidential information such as:

• PINs at cash machines
• Passwords being typed
• Sensitive documents on screen

Prevention:

• Shield your keyboard when entering PINs
• Use privacy screen filters on laptops
• Be aware of your surroundings when entering sensitive data
• Position screens away from public view

---

Blagging (Pretexting)

Blagging (also known as pretexting) is when an attacker creates a fabricated scenario (a pretext) to persuade a victim to provide information or perform an action.

Examples of blagging:

• An attacker phones a company pretending to be from the IT helpdesk and asks an employee for their password.
• Someone poses as a delivery driver to gain physical access to a building.
• An attacker emails a finance department pretending to be the CEO and requests an urgent bank transfer.

Why blagging works:

• The attacker impersonates someone with authority.
• A sense of urgency is created ("I need this immediately").
• The victim does not want to appear unhelpful or question authority.

OCR Exam Tip: Blagging always involves creating a false scenario or identity. If the exam describes someone lying about who they are to obtain information, this is blagging. Do not confuse it with phishing, which specifically uses electronic messages with fake links.

---

Comparing Social Engineering Techniques

Technique	Method	Target	Key Feature
Phishing	Fake emails/messages	Mass or targeted	Links to fraudulent websites
Pharming	DNS redirection	Website visitors	Automatic — no click needed
Shouldering	Visual observation	Individuals in public	Physical proximity required
Blagging	Fabricated scenario	Individuals (often employees)	Impersonation and deception

The diagram below maps each technique to the human weakness it exploits, which is a useful framework for the OCR exam.

flowchart LR
  R((Social<br/>Engineering)) --> EL["Electronic<br/>channel"]
  R --> PH["Physical /<br/>in-person"]
  EL --> P["Phishing<br/>fake email link"]
  EL --> PA["Pharming<br/>DNS redirect"]
  PH --> SH["Shouldering<br/>observe screen/PIN"]
  PH --> BL["Blagging<br/>false identity, urgency"]
  P --> EX1["Exploits trust<br/>in brands"]
  PA --> EX2["Exploits trust<br/>in URL bar"]
  SH --> EX3["Exploits<br/>inattention"]
  BL --> EX4["Exploits authority<br/>and urgency"]

---

How to Protect Against Social Engineering

1. Staff training — Teach employees to recognise social engineering attempts.
2. Verification procedures — Always verify the identity of anyone requesting sensitive information.
3. Access controls — Limit information access to only those who need it.
4. Two-factor authentication — Even if credentials are stolen, a second factor prevents access.
5. Physical security — Restrict building access, use CCTV, implement visitor policies.

OCR Exam Tip: A common 6-mark question asks you to describe social engineering threats and how to prevent them. Structure your answer with one paragraph per threat, naming the threat, explaining how it works, and stating a specific prevention method.

---

Summary

Social engineering exploits human trust and behaviour rather than technical weaknesses. The four key techniques for OCR J277 are phishing, pharming, shouldering, and blagging. The best defence is user education combined with technical controls such as email filtering, two-factor authentication, and physical security measures.

---

Worked Example: Analysing a Phishing Email

Consider a phishing message received by Mrs Owen, a payroll administrator at a medium-sized engineering firm. The email claims to come from the company's IT director and reads approximately as follows:

From: Paul Hargreaves paul.hargreaves@it-company-supp0rt.co Subject: URGENT — mailbox quota exceeded

Dear Customer,

Your mailbox has exceeded its storage limit and will be deactivated within 2 hours unless you verify your account. Please clik the link below and re-enter you're credentails to avoid loss of service.

[Verify My Account]