Social Engineering

Social engineering is a technique used in penetration testing and red teaming to manipulate individuals within an organization to gain unauthorized access to sensitive information, systems, or facilities. It exploits human psychology, trust, and vulnerabilities to deceive targets into performing actions that compromise security, such as disclosing confidential data or unknowingly aiding an attack.

Common Psychological Triggers in Social Engineering

Attackers exploit these common social tendencies to manipulate targets:

  • Desire to be helpful: Employees often assist others without verifying identities.

  • Tendency to trust people: People assume others have good intentions.

  • Desire for approval: Fear of disappointing colleagues or superiors leads to compliance.

  • Fear of getting in trouble: Targets comply to avoid perceived consequences.

  • Avoiding conflict or arguments: People may comply to prevent confrontation.

Social Engineering in Pentesting

In penetration testing, social engineering is a critical attack vector used to assess an organization's human security weaknesses. Pentesters simulate real-world social engineering attacks to identify security gaps and recommend mitigation strategies.

Types of Social Engineering Attacks

  • Phishing: Mass email campaigns tricking users into clicking malicious links or downloading malware.

  • Spear Phishing: Targeted phishing attacks customized for specific individuals or organizations.

  • Vishing: Voice phishing using phone calls to manipulate targets into revealing sensitive information.

  • Smishing: SMS-based phishing attacks delivering malicious links or requests.

  • Pretexting: Creating a fabricated scenario to trick targets into disclosing information.

  • Baiting: Offering something enticing (e.g., free software, USB devices) to lure victims into running malware.

  • Tailgating: Gaining physical access by following an authorized person into a restricted area.

These techniques highlight the importance of awareness training and strict security policies to defend against social engineering attacks.

PreviousFirmware Installation/FlashingNextPhishing

Last updated