1.What is Social Engineering?How does it work?

 Social engineering is the art of manipulating people

so they give up confidential information.
 The types of information these criminals are seeking
can vary, but when individuals are targeted the
criminals are usually trying to trick you into giving
them your passwords or bank information, or access
your computer to secretly install malicious software–
that will give them access to your passwords and
bank information as well as giving them control over
your computer.
 Criminals use social engineering tactics because it is
usually easier to exploit your natural inclination to
trust than it is to discover ways to hack your
software. For example, it is much easier to fool
someone into giving you their password than it is for
you to try hacking their password (unless the
password is really weak).
Working of Social Engineering:

Social engineering is still one of the most common means

of cyber-attack, primarily because it is highly efficient. To
criminals, the user is the ‘weakest link in the security
chain’.

Users are normally targeted in two ways: either over the

phone or online.

 By phone, criminals pose as employees of a

company or organization, say a bank or ISP, and after
going through some typical questions and statements
in order to gain the trust of the potential victim, they
will then ask for login credentials and passwords.
 The most common fraud technique on the Internet is
phishing. In this technique, users reveal data because
they think they are on a trusted website. Another way
that social engineering is used online is using
attachments to emails from people known to the
victim. Malware is used to attack users’ address book
sand send emails –with the attacker’s file attached- to
all their contacts.
Why Social Engineering is Effective?:
Humans are flawed. Machines are built with security
in mind and are consistently updated to ensure
vulnerabilities are patched and defenses are up-to-
date. The same can’t be said for humans. Humans’
minds are constantly drifting and thinking about
many things that (unless they work in the industry)
do not have anything to do with security.This lack of
knowledge and focus is why adversaries have so
much success with social engineering. While the
most tech-savvy may be able sniff out a phish or
social engineering attempt from a mile away, not
everyone has that same “spidey sense.” On top of
this, general information like your name, city of
residence, address and even the name of your spouse
and children can easily be found online. This
personal information is the key to building trust and
 establishing a relationship with victims in order to
obtain other, more useful information. Additionally,
advanced social engineering technology like “deep
fake” videos and voices are becoming more and more
realistic by the day, making it harder than ever to tell
the difference between a legitimate conversation or
information request and a breach attempt.

2.Lifecycle of Social Engineering

Social engineering attacks generally occur when there is
well-established communication between attackers and
victims. The attacker prompts and motivates the user into
compromising sensitive information, rather than explicitly
employing a brute force attack for breaching the user’s
data. The social engineering attack life cycle provides
criminals a reliable process that can easily deceive the
victim. The steps involved in the social engineering life
cycle include:
Step 1. Target research: Preparation for an attack requires
pre-planning from the perpetrator. Research time is
invested in identifying the target’s name, personal details,
and background information. Based on this information,
the attack methods/ channels are selected.

Step 2. Target hook: In this step, the attacker engages the

target victim with a fabricated story that would be
convincing, based on the information collected in the first
step. The goal of the attacker here is to win the confidence
of the victim.
Step 3. The attack: Once the target has obtained the
necessary trust, the goal now shifts to extracting the
information which is the real goal. Based on the intention,
the attacker then uses the information or sells it.

Step 4. Exit: Once the attack’s objective is complete, the

window of engagement is then closed by the attacker,
typically with the goal of avoiding any detection or
suspicion. The attacker then attempts to cover their tracks
and disappear to the best of their ability.
 COMMUNICATION STYLES
The Four communications styles:(DISC)
Dominance,
Influence,
Steadiness and
Conscientious.

 DISC is essentially a tool / process to help you understand

your behaviours, but most importantly helping you realise
how your behaviours are different to others.
The aim is to lead you to conclusions to play to your strengths
and also communicate / flex your style to complement the
behaviours / styles of others to achieve your objective.
Essentially your takeaways from understanding your profile is
understanding how you handle conflict, how you are
motivated, what stresses you and how you are motivated into
action.
Knowing this helps you minimise conflict, improve
influence and communication, and ultimately just be a more
effective person.
Dominance Spotting:
Speech – Use alot of acronyms, use short sentences, focus on
the issue (don’t beat around the bush), more talking not alot of
listening, rude with how they communicate, can focus on
what questions, not interested in asking more about telling,
speak fast and use an authoritative tone.
Actions – Time conscious, trusts their gut, maintains high
levels of eye contact, focused on outcomes, forceful, takes
risks and accepts causing trouble, historical achiever.
Expectations – Want direct and straightforward
communications and appreciation for their need to achieve /
have results.
Indicators – Lack empathy, not focused on social
interactions, not sensitive, blunt and to the point.
Demands – Results, flexibility, freedom to operate as they
like, wants directness, desires prestige, authority and power.
Influence Spotting: 
Speech – Speak fast and often make small talk, can of
exaggerate things, talk about feelings and emotion, struggle to
stay on track, speak in stories, concerned more with the who
than the what.
Actions – Often animated, approach you closely proximity
wise, short attention spans, can be spontaneous and has lots of
facial expressions.
Expectations – Looks for recognition of contributions and
appreciates a friendly and honest approach.
Indicators – Vulnerable to rejection, look for spotlight
opportunities, over estimation of self and others, makes
attempts to persuade and influence.
Demands – Recognition publicly, visible rewards and
popularity, looks for approval and friendliness from others,
some freedom from details and welcoming and warm
relationships.
Steadiness Spotting:
Speech – Slow and steady in their delivery, use a warm tone
and personal interaction (first name basis), listens more than
talks, will often make small talk, asks how questions and
speaks at a reduced volume.
Actions – Often consults others, and conduct themselves with
a patient and tolerant approach, embarrassed by recognition
and often very service orientated.
Expectations – Look for a cooperative environment which is
relaxed and agreeable, and likes non public shows of
appreciation.
Indicators – Friendly and approachable, struggles with
prioritising and deadlines, and often resistance to change.
Demands – Sincerity, clear standards and expectations,
private appreciation, security and time to adjust to change and
a willingness to be listened to.
Conscientious Spotting:
Speech – Precise and detailed in their language, preferring to
talk rather than write, and done so with a slower speech and
volume than others, gets to the point but often prefers to
listen.
Actions – Very task / process orientated, with high levels of
organisation and meticulousness, often time conscious but
focused on being right, very diplomatic and can be hard to get
a read on.
Expectations – Likes others to get to the point with low
expectations of socialising, appreciates accuracy in
information values the smaller details.
Indicators – Not dependant on others, struggles and is not
comfortable with vague information and ambiguity, will often
seek to double check and clarify information.
Demands – Clear expectations, no sudden changes / demands,
a chance to show expertise but with limited lime light, looks
for their own autonomy and equal levels of attention from
others on their objectives.
ASPECTS OF SOCIAL
ENGINEERING
WHAT IS SOCIAL ENGINEERING ?
SOCIAL ENGINEERING IS A PSYCHOLOGICAL ATTACK AGAINST A
COMPANY OR AN ORGANIZATION THAT AIMS TO EXPLOIT PEOPLE’S NATURAL
TENDENCY TO TRUST OTHERS .
A SOCIAL ENGINEERING ATTACKER FABRICATES A PRETEXT THAT IS
FAMILIAR TO TARGETS, AND THEN PREYS ON THEIR COGNITIVE BIASES TO LULL
THEM INTO A FALSE SENSE OF SECURITY AND TRUST.
ASPECTS OF SOCIAL ENGINEERING
1)IT’S PHYSICAL AND DIGITAL
SOCIAL ENGINEERING IS AN AGE-OLD CON IN ALL WALKS OF LIFE, SO IT
WOULD BE WRONG TO THINK THAT THIS IS EITHER NEW OR ONLY SEEN IN THE
ONLINE WORLD.

IN FACT, SOCIAL ENGINEERING HAS LONG SINCE BEEN USED IN

THE ‘REAL’ WORLD. THERE HAVE BEEN NUMEROUS EXAMPLES OF
CRIMINALS POSING AS FIRE MARSHALS, TECHNICIANS, EXTERMINATORS
AND CLEANERS, WITH THE SOLE PURPOSE OF ENTERING COMPANY
BUILDINGS AND STEALING COMPANY SECRETS OR MONEY.
2)THE QUALITY VARIES
THE QUALITY OF SOCIAL ENGINEERING SCAMS VARIES WILDLY. FOR EVERY
SOPHISTICATED SOCIAL ENGINEER SENDING AUTHENTIC-LOOKING PHISHING
EMAILS OR DOING VISHING CALLS, THERE WILL BE COUNTLESS OTHERS WITH
POOR ENGLISH, CONFLICTING STORIES AND CONFUSING INFORMATION.
3)COUNTRIES ARE DOING THIS
AT A VERY HIGH-LEVEL, NATION-STATES ARE ACTIVELY ENGAGING IN
SOCIAL ENGINEERING CAMPAIGNS, OR AT LEAST USING THEM AS PART OF MUCH
MORE SOPHISTICATED ADVANCED PERSISTENT THREAT (APT) ATTACKS. THIS KIND
OF ONLINE ESPIONAGE PLAYS AN IMPORTANT ROLE IN THE CYBER EFFORTS OF
COUNTRIES LIKE THE US AND CHINA, AS A WIRED FEATURE REVEALED.
4)YOU PROBABLY WON’T NOTICE AN ATTACK
THE WORRYING THING ABOUT ATTACKS LIKE THIS IS THERE IS NO
IMMEDIATE WARNING, NO CLEAR SIGN THAT YOU ARE UNDER ATTACK OR HAVE
BEEN COMPROMISED. THERE IS NO POP-UP ASKING FOR BITCOINS (LIKE WITH
CRYPTOLOCKER AND OTHER RANSOMWARE), OR A SCAREWARE AD ASKING YOU
TO DOWNLOAD AN APPLICATION OR CALL A SERVICE CENTRE.
5)SOCIAL ENGINEERING IS BIG IN ENTERPRISE
SOCIAL ENGINEERING AFFECTS ALL OF US, BUT IT IS INCREASINGLY BEING
USED BY FRAUDSTERS TO TARGET ENTERPRISES AND SMALL-AND-MEDIUM-SIZED
BUSINESSES.
ONE INDUSTRY REPORT FROM EARLIER THIS YEAR REVEALED THAT SOCIAL
ENGINEERING IS NOW BEING USED TO TARGET MIDDLE MANAGERS AND SENIOR
EXECUTIVES
 CATEGORIES OF SOCIAL ENGINEERING ATTACKS

What is social engineering?

Social engineering is an attack strategy that relies on manipulating someone to reveal private
information via e-mail, social media,the telephone or by physical means.

As technological defenses become more robust, cyber criminals are increasingly using social
engineering techniques to exploit the weakest link in the security chain: people

Social engineers can occur in both

 online
 offline.

Types of Social Engineering Attacks:

1. Phishing

2. Vishing

3. Pretexting

4. Dumpster diving

5. Shoulder surfing

6. Whaling

7. BEC

8. Pharming

9. Baiting

10. Smishing/SMS phishing

11. Quid pro quo

12. Tailgating

13. Scareware
1. Phishing:

Phishing is a leading form of social engineering attack

Phishing is the most common type of social engineering attack, typically using spoofed email
addresses and links to trick people into providing login credentials, credit card numbers, or other
personal information.

Social engineers still use phishing techniques to gather information about a target. They are
keen to exploit emotions such as fear and excitement, coupled with some pressures such as
urgency to get the maximum rate of compliance. Currently, phishing and spear phishing
attacks have become advanced as attackers have the ability to perfectly clone reputable
websites and use them to steal a client's data. The ability to shorten the URLs of these
websites is also helping attackers avoid detection since users would be alarmed if they
noticed some difference between the legitimate site URLs and those of the links sent by
attackers. Attackers are using clones of sites such as online banking systems and social
media accounts to rake out a lot of data from unsuspecting targets.

Variations of phishing attacks include:

Angler phishing – using spoofed customer service accounts on social media

Spear phishing – phishing attacks that target specific organizations or individuals

Example:

An email was sent by an attacker saying that there has been a breach to your PayPal account and
your password needs to be changed urgently accompanied with a link to change the password,
you would easily comply. The link would lead you to a PayPal look-alike where you would be
told to type your current password and a new password. Upon submitting this information, your
current password would be sent to the attackers. They will have gotten very sensitive information
from you in a very short period of time by exploiting your fear of losing money and then
pressuring you to respond quickly.

2. Vishing

This technique is based on the old-fashioned way—a phone call. This type of social engineering
is known as vishing. They recreate the interactive voice response (IVR) system of a company.
They attach it to a toll-free number and trick people into calling the number and entering their
details.

Example:
 The cybercriminal may drain the victim’s bank account, commit identity theft, and use the
victim’s credit card details to make unauthorized purchases, and then email the victim’s
colleagues in hopes of tricking someone into giving up confidential work information.

3. Pretexting

Pretexting is another form of, early stage of more complex social engineering attacks where
attackers focus on creating a good pretext, or a fabricated scenario, typically by creating a
backstory that makes them sound trustworthy, that they can use to try and steal their victim's
personal information.

Example:

 The most common example of a pretexting attack is when someone calls an employee and
pretends to be someone in power, such as the CEO or on the information technology team.
The attacker convinces the victim that the scenario is true and collects information that is sought.

4. Dumpster diving

Dumpster diving is the practice of sifting through the trash of private individuals or companies to
find discarded items that include sensitive information that can be used to compromise a system
or a specific user account.

Example: Real-Life Dumpster Divers

Jerry Schneider

One of the most infamous examples of dumpster divers is Jerry Schneider, who started a
wholesale telephone equipment company while in high school in 1968. The idea came from the
dumpster, specifically Pacific Telephone’s trash, that included order and delivery system
documents, manuals, and invoices. Needless to say, Schneider got in trouble and served 40 days
in a security facility. He then founded a security consulting company.

5. Shoulder surfing

Shoulder surfing refers to using direct observation techniques to get information, such as looking
over someone's shoulder at their screen or keyboard.

Example:
At ATMs, a crime in which a suspect watches over your shoulder as you punch in your PIN
number.

6. Whaling

Whaling is another common variation of phishing that specifically targets top-level business
executives and the heads of government agencies.

Example: Snapchat hands over payroll information

Snapchat is no stranger to cyberattacks, but in 2016 the social media platform yet again found
itself at the center of a data breach when an employee was tricked into releasing payroll
information about some of its employees. In the attack, a member of the payroll team received
an email from someone claiming to be Snapchat CEO Evan Spiegel, who made a request for
employee payroll information. The data was duly handed over to the attacker and the information
was leaked shortly after.

7. BEC (business email compromise)

Emails purporting to be from senior members of staff.

8. Pharming

Redirecting web traffic from legitimate sites to malicious clones.

Example:

An attacker can use malicious code to monitor user web activity to trigger a redirect to a spoofed
banking site. When a user enters their bank domain into the browser address bar, the pharming
code hijacks the user’s activity and redirects the browser to an attacker-controlled website with
the same look and feel like the official bank account. Users rarely look at the domain in the
browser’s address bar, so it’s an effective attack to steal user financial data, including their
credentials.

9. Baiting

Enticing victims into inadvertently compromising their security, for example by offering free
giveaways or distributing infected devices.

Example: High flagship mobiles will be given catchy advertisement for low price but its worthy
will be 20,000. They will sell the mobile around 8000 to 10000.
10. Smishing/SMS phishing

Text messages that purport to be from legitimate entities are often used in combination with
other techniques to bypass 2FA (two-factor authentication). They might also direct victims to
malicious websites on their phones.

11. Quid pro quo

Quid pro quo attacks rely on people’s sense of reciprocity, with attackers offering something in
exchange for information. (In Latin, ‘quid pro quo’ means ‘something for something’.)

12. Tailgating

A physical security attack that involves an attacker following someone into a secure or restricted
area, for instance while claiming to have mislaid their pass.

Example:

A person impersonates a delivery driver and waits outside a building. When an employee gains
security’s approval and opens their door, the attacker asks that the employee ‘hold the door’.
Thereby gains access to the company through an authorized person.

13. Scareware

A form of malicious software – usually in the form of a pop-up that warns that your security
software is out of date or that malicious content has been detected on your machine – that fools
victims into visiting malicious websites or buying worthless products.

Example:

The legitimate-looking popup banners appearing in your browser while surfing the web,
displaying such text such as, “Your computer may be infected with harmful spyware programs.”
It either offers to install the tool (often malware-infected) for you, or will direct you to a
malicious site . There you will get a message that a mallcious content has been detected and
sometime our mobile will vibrate when we enter to such sites. It will let us to download a
software which is available in that site.
How to Prevent a Social Engineering Attack:
Social engineering represents a critical threat to your organization’s security, so you must
prioritize the prevention and mitigation of these attacks as a core part of your cybersecurity
strategy. Preventing a social engineering attack requires a holistic approach to security that
combines technological security tools with comprehensive training for staff and executives.

Your first line of defense against a social engineering attack is training. Everyone in your
organization should know how to spot the most common social engineering tactics, and they
should understand the psychological triggers that scammers use to take advantage of people.
Human based attacks
Sasse and Flechais [60] identified human factors that can impact security governance,
includ-ing people: having problems using security tools correctly; not understanding the
importance of data, software, and systems for their organisation; not believing that the
assets are at risk (i.e., that they would be attacked); or not understanding that their
behaviour puts the system at risk. This highlights that risk cannot be mitigated with
technology alone, and that concern assessment is important.

If risk perception is such that there is a widely held view that people do not believe their
assets will be attacked (as noted by [60]), despite statistics showing cyber security
breaches are on the rise year-on-year, then there is likely to be a problem with the
cyber security culture in the organisation. Educating people within an organisation is
vital to ensuring cultural adoption of the principles defined in the risk management plan
and associated security governance policy. People will generally follow the path of least
resistance to get a job done, or seek the path of highest reward.

As Sasse and Flechais note, people fail to follow the required security behaviour for one
of two reasons: (1) they are unable to behave as required (one example being that it is
not technically possible to do so; another being that the security procedures and
policies available to them are large, difficult to digest, or unclear) , (2) they do not want
to behave in the way required (an example of this may be that they find it easier to work
around the proposed low-risk but time consuming policy; another being that they
disagree with the proposed policy).

Weirich and Sasse studied compliance with password rules as an example of compliance
with security policy [61] and found that a lack of compliance was associated with people
not believing that they were personally at risk and or that they would be held
accountable for failure to follow security rules. There is thus a need to ensure a sense of
responsibility and process for accountability, should there be a breach of policy. This
must, of course, be mindful of legal and ethical implications, as well as the cultural
issues around breaching rules, which is a balancing act.

Risk communication, therefore, plays an important role in governance including

aspects, such as:
• Education: particularly around risk awareness and day-to-day handling of risks,
including risk and concern assessment and management;
• Training and inducement of behaviour change: taking the awareness provided by
education and changing internal practices and processes to adhere to security policy;
• Creation of confidence: both around organisational risk management and key
individuals – develop trust over time, and maintain this through strong performance and
handling of risks.
• Involvement: particularly in the risk decision-making process – giving stakeholders an
opportunity to take part in risk and concern assessment and partake in conflict
resolution.
Finally, leading by example is of paramount importance in the risk communication
process.People are likely to be resentful if it appears that senior management are not
abiding by the same risk management rules and principles. Visible senior engagement in
an important cultural aspect of risk communication.

Security culture and awareness:

Dekker’s principles on Just Culture aim to balance accountability with learning in the
context of security. He proposes the need to change the way in which we think about
accountability so that it becomes compatible with learning and improving the security
posture of an organisation. It is important that people feel able to report issues and
concerns, particularly if they think they may be at fault.

Accountability needs to be intrinsically linked to helping the organisation, without

concern of being stigmatised and penalised. There is often an issue where those
responsible for security governance have limited awareness and understanding of what
it means to practise it in the operational world. In these cases there needs to be an
awareness that there is possibly no clear right or wrong, and that poorly thought-out
processes and practices are likely to have been behind the security breach, as opposed
to malicious human behaviour. If this is the case, these need to be addressed and the
person at fault needs to feel supported by their peers and free of anxiety.

Enacting Security Policy:

Overall, effective cyber risk governance will be underpinned by a clear and enactable
security policy. This section focuses on the elements of risk assessment and
management that are relevant to achieving this. From the initial phase of the risk
assessment there should be a clear focus on the purpose and scope of the risk
assessment exercise. During this phase, for more complex systems or whole system
security, there should be a focus on identifying the objectives and goals of the system.
These should be achievable with clear links from objectives to the processes that
underpin them. Risks should be articulated as clear statements that capture the
interdependencies between the vulnerabilities, threats, likelihoods and outcomes (e.g.,
causes and effects) that comprise the risk.

Risk management decisions will be taken to mitigate threats identified for these
processes, and these should be linked to the security policy, which will clearly articulate
the required actions and activities taken (and by whom), often along with a clear
timeline, to mitigate the risks. This should also include what is expected to happen as a
consequence of this risk becoming a reality.

Human factors (see the Human Factors Knowledge Area, and security culture are
fundamental to the enactment of the security policy. As discussed, people fail to follow
the required security behaviour because they are unable to behave as required, or they
do not want to behave in the way required.

A set of rules dictating how security risk management should operate will almost
certainly fail unless the necessary actions are seen as linked to broader organisational
governance, and therefore security policy, in the same way HR and finance policy
requires. People must be enabled to operate in a secure way and not be the subject of a
blame culture when things fail.

It is highly likely that there will be security breaches, but the majority of these will not
be intentional. Therefore, the security policy must be reflective and reactive to issues,
responding to the Just Culture agenda and creating a policy of accountability for
learning, and using mistakes to refine the security policy and underpinning processes –
not blame and penalise people.

Baiting:

As its name implies, baiting attacks use a false promise to pique a victim’s greed or
curiosity. They lure users into a trap that steals their personal information or inflicts
their systems with malware.

The most reviled form of baiting uses physical media to disperse malware. For example,
attackers leave the bait—typically malware-infected flash drives—in conspicuous areas
where potential victims are certain to see them (e.g., bathrooms, elevators, the parking
lot of a targeted company). The bait has an authentic look to it, such as a label
presenting it as the company’s payroll list.
Scareware:

Scareware involves victims being bombarded with false alarms and fictitious threats.
Users are deceived to think their system is infected with malware, prompting them to
install software that has no real benefit (other than for the perpetrator) or is malware
itself. Scareware is also referred to as deception software, rogue scanner software and
fraudware.

A common scareware example is the legitimate-looking popup banners appearing in

your browser while surfing the web, displaying such text such as, “Your computer may
be infected with harmful spyware programs.” It either offers to install the tool (often
malware-infected) for you, or will direct you to a malicious site where your computer
becomes infected.

Pretexting:

Here an attacker obtains information through a series of cleverly crafted lies. The scam
is often initiated by a perpetrator pretending to need sensitive information from a
victim so as to perform a critical task.

dates, bank records and even security information related to a physical plant.

Phishing:

As one of the most popular social engineering attack types, phishing scams are email
and text message campaigns aimed at creating a sense of urgency, curiosity or fear in
victims. It then prods them into revealing sensitive information, clicking on links to
malicious websites, or opening attachments that contain malware.

An example is an email sent to users of an online service that alerts them of a policy
violation requiring immediate action on their part, such as a required password change.
It includes a link to an illegitimate website—nearly identical in appearance to its
legitimate version—prompting the unsuspecting user to enter their current credentials
and new password. Upon form submittal the information is sent to the attacker.

Spear phishing:

This is a more targeted version of the phishing scam whereby an attacker chooses
specific individuals or enterprises. They then tailor their messages based on
characteristics, job positions, and contacts belonging to their victims to make their
attack less conspicuous. Spear phishing requires much more effort on behalf of the
perpetrator and may take weeks and months to pull off. They’re much harder to detect
and have better success rates if done skillfully.
TECHNOLOGY BASED ATTACKS
Some social engineering attacks use technology to target people
and weak security measures.
Goals are obtaining personal information , identify theft ,
execution of malware on systems , password and credential
theft.
Wide variety of techniques and technologies used that are
pervasive in every day’s life.
A technology-based approach tricks a user into believing that he
is interacting with a ‘real’ computer system and convinces him
to provide confidential information.
Technologies can be used alone or combination with each other
to lend credibility and depth to the attack – computer , mobile
phones , VoIP , fake ATMs , false login screens etc…
Technologies involved:
 Phishing
 Spear fishing
 Baiting
 Smishing etc…
May use malware – Trojans , virus , fake apps.
For example, the user will get a popup window informing him
that the computer application has had a problem and needs
immediate fixing. 
It will tell the user to reauthenticate a computer application to
proceed. As the user proceeds to reauthenticate, the user
provides his ID and password on the popup window itself. Once
they enter the necessary credentials for authentication, the harm
is done. 
The hacker or the criminal who created the popup window now
has access to the user’s ID and password and can, therefore,
access their network and computer system.
TYPES OF SOCIAL ENGINEERING ATTACKS

• Technology based attacks is divided into 2 types

Mobile based attacks
 Computer based attacks
• Computer based attacks include
Phishing
Baiting etc…
• Mobile based attacks include
Smishing
Quick response code etc…
MOBILE BASED ATTACKS
SMS based : Sending a fake SMS saying that the user has
won a bounty, urging him/her to register with confidential
information or try and collect other important details.
Through Malicious Apps : Applications downloaded from
third party sources may be malicious; they can access
authentication information and other sensitive details.
Through Email and messengers : Attackers can send
spam emails or malicious links through messenger
applications. When the victim clicks on it- he may be
redirected to a malicious site, or a malware could be
downloaded or it may lead to some other malicious activity.
COMPUTER BASED ATTACKS
Hoax Letters:  These are fake emails sending warnings
about malware, virus and worms causing harm to the
computers.
 Chain letters: Asking people to forward emails or
messages for money.
Spam Messages: These are unwanted irrelevant emails
trying to gather information about users.
Instant Chat messengers: Gathering personal information
from a single user by chatting with them.
Key Techniques :
Social engineering assaults employ various techniques to gain
access to the victim’s sensitive data or network. These attacks
come in various forms and can be carried out from any place
where human interaction is involved.
DNS spoofing and cache poisoning attacks
DNS spoofing manipulates a user’s browser and web servers
to redirect the user to malicious websites when a legitimate URL
is entered. Once infected with this attack exploit, the redirect
will continue unless the inaccurate routing data is cleared from
the systems involved.
DNS cache poisoning attacks categorically infect a user’s device
with routing instructions to acquire multiple legitimate URLs to
access fraudulent or malicious websites.
Quick response code
This attack module makes use of QR codes instead of malicious
links. Since at times it may be important to completely mask a
link, it may be worthwhile looking for alternatives that can be
used to get targets to a malicious site. The QRCode attack vector
generates a working QR code that redirects people to an attack
vector, which in most cases is a malicious website.
Phishing
Phishing is the attempt to acquire sensitive information or to
make somebody act in a desired way by masquerading as a
trustworthy entity in an electronic communication medium.
These are usually targeted at large groups of people. Phishing
attacks can be performed over almost any channel, from the
physical presence of the attacker to websites, social networks, or
even cloud services. Attacks targeted at specific individuals or
companies are referred to as spear-phishing.
Creating a cloned fake website trying to gather sensitive
information about users. It can be done by sending a fake email
as though coming from an original website and then trying to
collect confidential information. Phishing can also be executed
through fake mobile applications.
Water holing
Water holing is a targeted social engineering strategy that
capitalizes on the trust users have in websites they regularly
visit. The victim feels safe doing things they would not do in a
different situation. A wary person might, for example,
purposefully avoid clicking a link in an unsolicited email, but
the same person would not hesitate to follow a link on a website
he or she often visits. So, the attacker prepares a trap for the
unwary prey at a favored watering hole. This strategy has been
successfully used to gain access to some (supposedly) very
secure systems.

Tailgating
Another social engineering attack type is known as tailgating or
piggybacking.
Trojan horses
This is one of the most predominant methods currently used by
hackers.
Spear phishing
Spear phishing requires the attacker to first gather information
on the intended victims, but the success rate is higher than in
conventional phishing. If a phishing attack is aimed at high-
profile targets in enterprises, the attack is referred to as whaling.
Quid pro quo
Similar to baiting, quid pro quo attacks promise a benefit in
exchange for information.
Smishing
• SMS + Phishing . It is a type of phishing attack that uses
text messages (SMS) in order to deceive recipients.
• Example: a message received that suspicious activity has
taken in your account . So to stop this. send your account
information to verify identity.
Baiting
 • It is an attack which uses the physical media relies on the
curiosity or greed of the victims. As the name suggests,
baiting attacks harness a false promise to disorient a
victim’s greed or hunger. They trap users to steal their
personal information or infect their systems with malware.
•  The most common type of baiting involves the usage of
physical media to disperse malware. For example,
criminals leave the bait – typically malware-infected flash
drives – in areas where there is a high probability of the
potential victims seeing them. These areas include parking
areas, elevators, washrooms, etc. The bait has a specific
face value that can trick the victim into believing its
authenticity. The external look of the bait can have a label
that discloses an payroll list.
• Potential victims are generally convinced by the face value
of the bait and, in turn, may insert it into a work or home
computer system. This results in direct infection of the
victim’s computer as the malware gets installed on the
victim’s device dynamically.
•  Baiting can be carried out in the physical as well as the
online world, where online baiting consists of providing
enticing ads that redirect users to malicious sites or
motivate users to download a malware-infected computer
application.
Reverse social engineering
• Reverse social engineering is an attack where usually trust
is established between the attacker and the victim. The
attackers create a situation in which the victim requires
help and then present themselves as someone the victim
considers can both solve their problem and trustworthy
enough to receive privileged information. Of course, the
attackers try to choose an individual who they believe has
information that will help them.