Professional Documents
Culture Documents
Table of Contents
Abstract………………………………………………………………………………………........3
Importance of Social Engineering………………………………………………………………...4
Methods…………………………………………………………………………………………...4
Rapid Expansion of Cybercrime………………………………………………………………….5
Preventative Measures & Solutions……………………………………………………………....6
Conclusion………………………………………………………………………………………...6
References…………………………………………………………………………………….…..7
3
Abstract
Social engineering is one of the most important concepts in cybersecurity today. Social
engineering can be defined as a form of information gathering through psychological and social
manipulation or persuasion of people with access to sensitive data. The purpose of this paper is
to introduce the concepts and methods of social engineering, its role in network intrusion and
cybertheft, the recent rapid expansion in cybercrime incidents worldwide, and finally,
preventative measures and solutions relating to social engineering. This paper will provide real-
world case studies of events that involved social engineering, along with actual statistics from
companies that record hacking activity. The preventative measures and solutions provided will
come from respected sources that have proven themselves worthy of being called experts in the
field of cybersecurity.
4
use of computers expand, so do the threats and people who are willing to attack others using
those channels. Social engineering has existed as long as electronics communications have been
around. Ricart, Soulis, and Nadeau (2013) tell us that in 2011, 48% of the biggest international
companies experienced over 25 social engineering attacks between 2009 and 2010.
As more and more banks and financial institutions are moving to the cloud, so are the hackers.
There are new e-billing companies sprouting up as well, such as Venmo, a direct competition to
Paypal. Android and Apple are also in a competition with their e-pay systems involving
SC Magazine predicts an increase in social engineering attacks in 2015, citing newer, more
http://www.scmagazine.com/social-engineering-will-ramp-up-in-2015/article/389169/
Methods
There are several methods of social engineering. The more common and effective methods being
used today are phishing, tailgating, baiting, and quid pro quo.
A phishing attack is when someone creates a fake website that mirrors a legitimate site. For
instance, a hacker might create an exact copy of Paypal’s website, with a functional login form.
Once the user enters their login info into the form, it is captured and sent to the hacker. An error
message might appear claiming that the password was entered incorrectly, and then forwards the
user (without them noticing) to the real Paypal site, where their second attempt to login is
successful.
5
Tailgating is when someone follows closely behind another when entering a building with locked
doors. It uses human nature and the threat of guilt to get into the building. Most people wouldn’t
slam the door in someone else’s face, even a stranger, that’s why this method works most of the
time.
Baiting could be used by loading malware, password stealers, or keystroke recorders onto a
thumb drive, and then leaving that thumb drive in a parking lot, on the ground, or at a desk in a
library. The curious person who finds the “lost” USB drive then loads it onto their computer, in
hopes of finding something interesting or valuable, but instead become infected with the chosen
Quid Pro Quo, or “something for something”, is when a benefit is offered to the information
holder in exchange for the data. For instance, someone could be pretending to be running a
survey in which the reward for completion is $5. Within the survey could be a question such as
“What is your password”, or “What is your mother’s maiden name”, “What is your birth date”,
etc. Any of this information could then be used to compromise the user’s account.
in social network popularity. Websites like Facebook, LinkedIn, Twitter, Instagram, and
SnapChat have all proven their popularity among the current generation. Hackers are very much
aware of the trends in social networks, because that is where all the people are spending their
time when online. Kerner tells us about someone on Twitter who was victimized because the
attacker was able to socially engineer a GoDaddy employee. First, the attacker was able to get
the last four digits of the victim’s credit card account number, then, he was able to talk the
GoDaddy employee into giving him enough hints to guess the first two digits of the credit card,
6
with that, he was given access to the victim’s domain name and account, which he then used as
leverage to threaten the twitter user, and get his Twitter account.
footprints found in social networks. One great source of information can be found through
CERT, the registered service mark of Carnegie Mellon University. (2015, November 1) CERT
response. Each category has its challenge, although the most important one is prevention. Most
people will agree that prevention is almost impossible, and therefore it is more cost-effective to
Conclusion
In conclusion, there are many reasons why social engineering is an important concept within
cybersecurity today. The four main attack methods of social engineering that were discussed in
this paper are phishing, tailgating, quid pro quo, and baiting. Although prevention cannot be
guaranteed, companies can still rely on effective ways to detect and respond to these types of
attacks. Employee training is the most important thing to consider when creating a security plan
References:
de Vasconcelos, L. G., Yoshimi Kusumoto, A., da Silva, P. L., Franco Rosa, F., & Otávio
Duarte, L. (2013). Social Network Analysis for Social Engineering Footprinting. CISTI (Iberian
Conference On Information Systems & Technologies / Conferência Ibérica De Sistemas E
Tecnologias De Informação) Proceedings, 2185-190.
GREAVU-ŞERBAN, V., & ŞERBAN, O. (2014). Social Engineering a General Approach.
Informatica Economica, 18(2), 5-14. doi:10.12948/issn14531305/18.2.2014.01
Tetri, P., & Vuorinen, J. (2013). Dissecting social engineering. Behaviour & Information
Technology, 32(10), 1014-1023 10p. doi:10.1080/0144929X.2013.763860
Social Engineering For Pentesters. (2013). SC Magazine: For IT Security Professionals
(15476693), 60.
Ricart, P., Soulis, F., & Nadeau, Y. (2013). Beware of social engineering. CA Magazine, 146(8),
41-42.
Kerner, S. M. (2014). Twitter Social Engineering Account Takeover Saga Continues. Eweek, 4.