0xnhl

Back

Social Engineering

Created: 1/12/2026 Updated: 1/12/2026

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables.
Social engineering is the manipulation of people into performing actions or divulging confidential information. Social engineers often rely on people’s willingness to be helpful, but they also prey on their weaknesses. For example, an attacker will call an authorized employee with an urgent problem that requires immediate network access and appeal to the employee’s vanity or greed or invoke authority by using name-dropping techniques in order to gain this access.
Social engineering attacks are related to the security and risk management domain.

Phishing#

With phishing, an attacker presents to a user a link or an attachment that looks like a valid, trusted resource. When the user clicks it, he or she is prompted to disclose confidential information such as his or her username and password

  • Phishing kits typically contain tools such as malicious attachments, fake data-collection forms, and fraudulent web links in order to help attackers avoid detection.

Spear phishing#

A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.
The attacker studies a victim and the victim’s organization in order to be able to make emails look legitimate and perhaps make them appear to come from trusted users within the company.

Whaling#

A form of spear phishing. Threat actors target high-profile business executives or key individuals in a company to gain access to sensitive data.

Vishing:#

Vishing (which is short for voice phishing) is a social engineering attack carried out in a phone conversation. The attacker persuades the user to reveal private personal and financial information or information about another person or a company.
The attackers exploit electronic voice communication to obtain sensitive information or to impersonate a known source.
 Attackers may impersonate and spoof caller ID to hide themselves when performing vishing attacks.

Smishing:#

The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.

Business Email Compromise (BEC)#

A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.

Social media phishing#

Physical social engineering #

USB (Universal Serial Bus) baiting#

Many pen testers and attackers have used Universal Serial Bus (USB) drop key attacks to successfully compromise victim systems. This type of attack involves just leaving USB sticks (sometimes referred to as USB keys or USB pen drives) unattended or placing them in strategic locations. Oftentimes, users think that the devices are lost and insert them into their systems to figure out whom to return the devices to; before they know it, they are downloading and installing malware. Plugging in that USB stick you found lying around on the street outside your office could lead to a security breach.

Watering hole attack#

watering hole attack is a targeted attack that occurs when an attacker profiles websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. If the attacker locates a website that can be compromised, the website is then injected with a JavaScript or other similar code injection that is designed to redirect the user when the user returns to that site. (This redirection is also known as a pivot attack.) The user is then redirected to a site with some sort of exploit code. The purpose is to infect computers in the organization’s network, thereby allowing the attacker to gain a foothold in the network for espionage or other reasons.
Watering hole attacks are often designed to profile users of specific organizations. Organizations should therefore develop policies to prevent these attacks. Such a policy might, for example, require updating anti-malware applications regularly and using secure virtual browsers that have little connectivity to the rest of the system and the rest of the network. To avoid having a website compromised as part of such an attack, an administrator should use proper programming methods and scan the organization’s website for malware regularly. User education is paramount to help prevent these types of attacks.

Pretexting#

With pretexting, or impersonation, an attacker presents as someone else in order to gain access to information. In some cases, it can be very simple, such as quickly pretending to be someone else within an organization; in other cases, it can involve creating a whole new identity and then using that identity to manipulate the receipt of information. Social engineers may use pretexting to impersonate individuals in certain jobs and roles even if they do not have experience in those jobs or roles.

  • Elicitation is the act of gaining knowledge or information from people. In most cases, an attacker gets information from a victim without directly asking for that particular information.
    Pharming is a type of impersonation attack in which a threat actor redirects a victim from a valid website or resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user or to install malware in the victim’s system. Pharming can be done by altering the host file on a victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server.
    An attack that is similar to pharming is called malvertising. Malvertising involves incorporating malicious ads on trusted websites. Users who click these ads are inadvertently redirected to sites hosting malware.

Physical Attacks#

Baiting#

social engineering tactic that tempts people into compromising their security. A common example is USB baiting that relies on someone finding an infected USB drive and plugging it into their device.

Tailgating#

With piggybacking, an unauthorized person tags along with an authorized person to gain entry to a restricted area – usually with the person’s consent. Tailgating is essentially the same but with one difference: It usually occurs without the authorized person’s consent. Both piggybacking and tailgating can be defeated through the use of access control vestibules (formerly known as mantraps). An access control vestibule is a small space that can usually fit only one person. It has two sets of closely spaced doors; the first set must be closed before the other will open, creating a sort of waiting room where people are identified (and cannot escape). Access control vestibules are often used in server rooms and data centers. Multifactor authentication is often used in conjunction with an access control vestibule; for example, a proximity card and PIN may be required at the first door and a biometric scan at the second.

Dumpster Diving#

With Dumpster diving, a person scavenges for private information in garbage and recycling containers. To protect sensitive documents, an organization should store them in a safe place as long as possible. When it no longer needs the documents, the organization should shred them. (Some organizations incinerate their documents or have them shredded by a certified professional third party.) Dumpster divers might find information on paper and on hard drives or removable media.

Shoulder Surfing#

With shoulder surfing, someone obtains information such as personally identifiable information (PII), passwords, and other confidential data by looking over a victim’s shoulder. One way to do this is to get close to a person and look over his or her shoulder to see what the person is typing on a laptop, phone, or tablet. It is also possible to carry out this type of attack from far away by using binoculars or even a telescope. These attacks tend to be especially successful in crowded places. In addition, shoulder surfing can be accomplished with small hidden cameras and microphones. User awareness and training are key to prevention. There are also special screen filters for computer displays to prevent someone from seeing the screen at an angle.

Badge Cloning#

Attackers can perform different badge cloning attacks. For example, an attacker can clone a badge/card used to access a building. Specialized software and hardware can be used to perform these cloning attacks. Attackers can also use social engineering techniques to impersonate employees or any other authorized users to enter a building by just creating their own badge and attempting to trick other users into letting them into a building. This could even be done without a full clone of the radio frequency (RF) capabilities of a badge.

Methods of Influence#

  • Authority
    A social engineer shows confidence and perhaps authority–whether legal, organizational, or social authority.
  • Scarcity and Urgency
    It is possible to use scarcity to create a feeling of urgency in a decision-making context. Specific language can be used to heighten urgency and manipulate the victim. Salespeople often use scarcity to manipulate clients (for example, telling a customer that an offer is only for today or that there are limited supplies). Social engineers use similar techniques.
  • Social Proof
    Social proof is a psychological phenomenon in which an individual is not able to determine the appropriate mode of behavior. For example, you might see others acting or doing something in a certain way and might assume that it is appropriate. Social engineers may take advantage of social proof when an individual enters an unfamiliar situation that he or she doesn’t know how to deal with. Social engineers may manipulate multiple people at once by using this technique.
  • Likeness
    Individuals can be influenced by things or people they like. Social engineers strive for others to like the way they behave, look, and talk. Most individuals like what is aesthetically pleasing. People also like to be appreciated and to talk about themselves. Social engineers take advantage of these human vulnerabilities to manipulate their victims.
  • Fear
    It is possible to manipulate a person with fear to prompt him or her to act promptly. Fear is an unpleasant emotion based on the belief that something bad or dangerous may take place. Using fear, social engineers force their victims to act quickly to avoid or rectify a dangerous or painful situation.

Social Engineering Tools#

Social-Engineer Toolkit (SET)#

Browser Exploitation Framework (BeEF)#

Call Spoofing Tools#

You can very easily change the caller ID information that is displayed on a phone. There are several call spoofing tools that can be used in social engineering attacks.

The following are a few examples of call spoofing tools:

  • SpoofApp: This is an Apple iOS and Android app that can be used to easily spoof a phone number.

  • SpoofCard: This is an Apple iOS and Android app that can spoof a number and change your voice, record calls, generate different background noises, and send calls straight to voicemail.

  • Asterisk: Asterisk is a legitimate voice over IP (VoIP) management tool that can also be used to impersonate caller ID.

  • Phishing.org reports on the latest phishing trends and shares free resources that can help reduce phishing attacks.

  • The Anti-Phishing Working Group (APWG) is a non-profit group of multidisciplinary security experts that publishes a quarterly report on phishing trends.

  • OUCH! is a free monthly newsletter from the SANS Institute that reports on social engineering trends and other security topics.

  • Scamwatch is a resource for news and tools for recognizing, avoiding, and reporting social engineering scams.