What is Social Engineering
Social engineering is a psychological manipulation technique used by threat actors or general to deceive individuals into revealing confidential information, granting access to systems, or performing actions that compromise security.
- Gain unauthorized access to systems or data
- Steal identities or login credentials
- Trick targets into performing actions unknowingly
Deceptive emails, fake websites, or text messages used to steal information such as usernames, passwords, or credit card numbers.
A more targeted and personalized phishing attack. The attacker gathers information about the victim to appear more credible.
Scams conducted through phone calls. The attacker may pretend to be from customer support, banks, or authorities.
Creating a false scenario to obtain information. Example posing as IT staff to ask for login credentials.
Luring victims with something tempting, such as a free USB or a downloadable file, which may contain malware.
Following someone into a restricted area without authorization, commonly used in physical security breaches.
As a penetration tester, social engineering is still often used to find initial access such as hacking, ransomware and blackmail and other detrimental things, social engineering attacks individuals not systems, let's take an example of any sophisticated system but employees are fooled by social engineering can still be penetrated, a hacker if he can't attack his system then the individual is attacked, for example a hacker does OSINT to employees, then he finds interesting information such as email addresses, schools, hobbies, birth dates and others. Then hackers can enter with this gap looking for possible access, if the hacker succeeds in trapping his target then he will do a deep investigation such as credential stuffing and looking for access and stealing data. Remember this depends on the motivation there are hackers who do this to steal money or find initial access, conduct espionage and other things
- Don’t trust unsolicited requests for personal or sensitive information
- Verify the identity of senders or callers
- Be cautious with suspicious emails or links
- Enable two-factor authentication (2FA) wherever possible
- Educate and train individuals or employees regularly