Cyber Security
Social Engineering
Embedded Files
Lecture 06: Social Engineering
Lecture 06: Social Engineering
Social Engineering Science
Social Engineering Science
Definition:
Social Engineering is a deceptive technique used by attackers to access systems or sensitive data by exploiting human weaknesses rather than technical vulnerabilities. In essence, it is the art of manipulating people into revealing confidential information or performing actions that benefit the attacker.
Foundations of Social Engineering:
Foundations of Social Engineering:
Human Emotions: Hackers play on feelings like trust, fear, greed, or curiosity. as example:
“You’ve won a $500 gift card! Click here to claim it.”
You click out of curiosity or greed → Malware is installed.
Hidden Messages: They attack through phone calls, emails, or social media—quietly.
“I’m from IT. We noticed suspicious activity on your account. What’s your password so we can verify?”
You give it → They access your system.
Lack of Awareness: They target people who don’t know better or aren’t careful.
An employee leaves their computer unlocked in a café.
An attacker nearby uses a USB stick to install spyware unnoticed.
Fake Emergencies: They create pressure (like “urgent action needed”) so you react fast.
“Your bank account is locked! Verify your info now or it will be closed in 1 hour!”
The victim panics and submits sensitive data.
Pretending to Be Trusted: They act like someone you trust—like IT, your bank, or even the police.
A person wearing a fake badge follows a real employee into the office saying,
“I forgot my ID, but I’m with IT.”
They access internal systems physically.
Core Principles of Social Engineering
Core Principles of Social Engineering
Here are the key psychological and strategic principles hackers use to manipulate people:
Authority: Pretending to be someone in power or with credibility
“I’m from the IT department, I need your password.”
Urgency: Creating pressure to act quickly, bypassing logic
“Respond within 10 minutes or your account will be locked!”
Trust: Gaining confidence by impersonating familiar sources
Email from a “known” vendor asking for payment details
Reciprocity: Offering something to get something in return
“Here’s a free USB gift—just plug it in to access your reward.”
Liking: Being friendly or likable lowers suspicion
Friendly social media conversation that leads to oversharing
Social Proof: Claiming others have already complied or benefited
“Everyone in your department has completed this security form.”
Consistency: Getting a small “yes” first to later extract more
“Can you confirm your name?” → Then ask for login details
Social engineering: Science or Mindset?
Social engineering: Science or Mindset?
As a Science:
Based on behavioral psychology, cognitive biases, and persuasion techniques.
Uses structured methods (e.g., pretexting, phishing).
Grounded in research (Cialdini’s principles, Pavlovian responses, etc.).
As a Mindset:
A way of thinking like a hacker to exploit human weaknesses.
Focuses on observation, manipulation, and timing.
Adaptive: attackers adjust based on the target’s reactions.
Social Engineering Countermeasures
Social Engineering Countermeasures
Security Awareness Training
Teach staff to spot phishing, pretexting, baiting, etc.
Run simulated attacks (e.g., mock phishing emails).
Verification Procedures
Always verify identities (especially over phone/email).
Use call-back policies or internal ticketing systems.
Strong Access Controls
Enforce least privilege (users only access what they need).
Apply multi-factor authentication (MFA) everywhere.
Technical Defenses
Email filters
Web filters
SIEM systems
DLP systems
Incident Response & Reporting
Clear process for reporting suspected social engineering.
Encourage quick response—no blame culture.
Physical Security:
Use ID badges, access controls, and camera monitoring.
Enforce tailgating prevention.
Social Engineering Technique
🎣 Phishing: Fake emails or messages asking for sensitive data
📞 Vishing: Fake phone call pretending to be support or IT staff
💬 Smishing: Malicious SMS with links or fake alerts
🧑💼 Impersonation: The attacker pretends to be a trusted employee
💻 Baiting: Leaving USB drives with malware, hoping someone plugs them in
👀 Shoulder Surfing: Watching someone’s screen or keyboard without them noticing
How Hacker Attack Victims?
How Hacker Attack Victims?
MIIM
Hackers act as a Man in the middle, when means he can inspect the traffic and see the messages from client to server, so he can:
Change the message from
Creates a fake certificate to force it to be able to decrypt SSL using Burp Suite, and MITM proxy
Using that, He can take your token and complete the process
Or create a valid token, and try the broken authentication and authorization
SSL stripping: Another approach, a hacker tries to connect using HTTP instead of HTTPS
2. Phishing Emails
Fake emails to trick users into clicking or entering credentials
Fake "Microsoft login" link
Fake Software/Updates, Tricking user to install malware or "Update your Flash Player" popup
3. Malicious Attachments
Sending infected files (PDF, Word, EXE)
CV.docx with macro malware
Possible technically, as you can implement source code inside
4. Fake Websites (Spoofing)
Clone of real sites to steal login info
Fake bank or Gmail login page
5. USB Drop (Baiting)
Leave infected USBs in public to tempt users
"Payroll.xls" on USB at office
6. Social Engineering
Manipulating humans directly
Pretending to be IT support asking for password
7. 8. Infected Ads (Malvertising)
Malware hidden in online ads
Banner on website redirects to exploit site
9. Compromised Supply Chain
Infecting legit software/vendor
Trojan in software installer
10. QR Code Traps
Malicious QR codes in flyers, stickers
Redirects to exploit page
11. SMS or WhatsApp Spoofing
Fake urgent messages with links
"Click to claim your prize!" SMS
Dr. Ghoniem Lawaty
Tech Evangelist @TechHuB Egypt
Page updated
Google Sites
Report abuse