Lab - Social Engineering

Objective
In this lab, you will research examples of social engineering and identify ways to recognize and prevent it.

Resources
• Computer with internet Access

Instructions Step 1: Research Social Engineering Examples

Social engineering, as it relates to information security, is used to describe the techniques used by a person
(or persons) who manipulate people in order to access or compromise information about an organization or
its computer systems. A social engineer is usually difficult to identify and may claim to be a new employee, a
repair person, or researcher. The social engineer might even offer credentials to support that identity. By
gaining trust and asking questions, he or she may be able to piece together enough information to infiltrate an
organization's network.
Question:

Use any internet browser to research incidents of social engineering. Summarize three examples found in
your research.

Sure, here are three examples of social engineering incidents:

1. $100 Million Google and Facebook Spear Phishing Scam: This is considered the biggest social
engineering attack of all time. A Lithuanian national, Evaldas Rimasauskas, and his team set up a fake
company, pretending to be a computer manufacturer that worked with Google and Facebook. They sent
phishing emails to specific Google and Facebook employees, invoicing them for goods and services that
the manufacturer had genuinely provided, but directing them to deposit money into their fraudulent
accounts. Between 2013 and 2015, they cheated the two tech giants out of over $100 million.

2. Persuasive Email Phishing Attack Imitating US Department of Labor: In January 2022, a

sophisticated phishing attack was designed to steal Office 365 credentials. The attackers imitated the US
Department of Labor (DoL). They used two methods to impersonate the DoL’s email address and used
official DoL branding. The emails invited recipients to bid on a government project. The supposed bidding
instructions were included in a three-page PDF with a “Bid Now” button embedded. On clicking the link,
targets were redirected to a phishing site that looked identical to the actual DoL site.

3. Russian Hacking Group Targets Ukraine with Spear Phishing: In February 2022, Microsoft warned of
a new spear phishing campaign by a Russian hacking group targeting Ukrainian government agencies
and NGOs.

These examples illustrate the variety and sophistication of social engineering attacks, emphasizing the importance
of vigilance and robust security measures.

Type your answers here.

Step 2: Recognize the Signs of Social Engineering
Social engineers are nothing more than thieves and spies. Instead of hacking their way into your network via
the Internet, they attempt to gain access by relying on a person’s desire to be accommodating. Although not
specific to network security, the scenario below, described in Christopher Hadnagy’s book, The Art of Human
Hacking, illustrates how an unsuspecting person can unwittingly give away confidential information.
"The cafe was relatively quiet as I, dressed in a suit, sat at an empty table. I placed my briefcase on the
table and waited for a suitable victim. Soon, just such a victim arrived with a friend and sat at the table
next to mine. She placed her bag on the seat beside her, pulling the seat close and keeping her hand
on the bag at all times.
After a few minutes, her friend left to find a restroom. The mark [target] was alone, so I gave Alex and
Jess the signal. Playing a couple, Alex and Jess asked the mark if she would take a picture of them both.
She was happy to do so. She removed her hand from her bag to take the camera and snap a picture of
the “happy couple” and, while distracted, I reached over, took her bag, and locked it inside my briefcase.
My victim had yet to notice her purse was missing as Alex and Jess left the café. Alex then went to a
nearby parking garage.
It didn’t take long for her to realize her bag was gone. She began to panic, looking around frantically. This
was exactly what we were hoping for so, I asked her if she needed help.

© 2017 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 2 www.netacad.com

Lab - Social Engineering

She asked me if I had seen anything. I told her I hadn’t but convinced her to sit down and think about
what was in the bag. A phone. Make-up. A little cash. And her credit cards. Bingo!
I asked who she banked with and then told her that I worked for that bank. What a stroke of luck! I
reassured her that everything would be fine, but she would need to cancel her credit card right away. I
called the “help-desk” number, which was actually Alex, and handed my phone to her.
Alex was in a van in the parking garage. On the dashboard, a CD player was playing office noises. He
assured the mark that her card could easily be canceled but, to verify her identity, she needed to enter
her PIN on the keypad of the phone she was using. My phone and my keypad.
When we had her PIN, I left. If we were real thieves, we would have had access to her account via ATM
withdrawals and PIN purchases. Fortunately for her, it was just a TV show."
Remember: “Those who build walls think differently than those who seek to go over, under, around, or
through them." Paul Wilson - The Real Hustle
Question:

Research ways to recognize social engineering. Describe three examples found in your research.
Sure, here are three ways to recognize social engineering, which are relevant everywhere, including Bhutan:

Unexpected Messages: Most social engineering attacks begin with the potential victim receiving an
unexpected request. If you receive a message that you weren’t expecting, especially if it’s asking for sensitive
information or actions, be cautious.

Unusual Requests: In many cases, social engineering attacks involve the attacker asking the potential victim
to do something they’ve never done before. If you’re asked to perform an unfamiliar action, especially one
that could potentially be harmful, it’s a red flag.

Sense of Urgency: One common characteristic of social engineering attacks is a sense of urgency attached
to the message. If an unsolicited correspondence is rushing you to take action, you should always be
suspicious.
 Type your answers here.

Step 3: Research Ways to Prevent Social Engineering

Questions:

Does your company or school have procedures in place to help to prevent social engineering?
Type your answers here.
If so, what are some of those procedures?

While I don’t have a company or school, I can share some common procedures that organizations use to prevent
social engineering:

1. Security Awareness Training: This involves educating employees about the various tricks used by
cybercriminals. It can be the best defense against social engineering. For example, teaching your
workforce about the tell-tale signs of an attack can help prevent a cyber-threat from becoming a
cybersecurity incident.

2. Phishing Simulations: Phishing emails are a common way that malware infections occur. A popular
technique to train users to spot a phishing email is the use of phishing simulations. The simulation
sessions can be used remotely and are often tailored to the specific needs of your organization.

3. Prevent Pre-Texting: Pretexting is a type of social engineering which often grooms a target then
develops an environment of urgency to obtain sensitive data or encourage a transfer of money. To avoid
pretexting, you can use security awareness training that is augmented with clear security policies that deal
specifically with the challenges of pretexting and grooming.

4. Email Gateways: Social engineers often use email to execute a scam; email gateways are used to filter
out spam emails. Email gateways have been shown, when correctly configured, to reduce spam by up to
99.9%.

5. Advanced Technologies: Use of advanced technologies can help in detecting and preventing social
engineering attacks.

Remember, social engineering awareness is your best tool in combating these types of attacks. Stay vigilant and
educate yourself and others about these tactics to help prevent such incidents.

Use the internet to research procedures that other organizations use to prevent social engineers from gaining
access to confidential information. List your findings.
 Type your answers here.

End of Document

© 2017 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 2 www.netacad.com