πŸ•΅οΈβ€β™‚οΈ

Social Engineering

Sep 4, 2025

Overview

The lecture covers evolving social engineering attacks, including phishing, vishing, shoulder surfing, impersonation, tailgating, dumpster diving, and wireless evil twin attacks, with strategies to identify and prevent them.

Evolving Social Engineering Techniques

  • Attackers use multiple people and communication methods to earn trust and bypass security controls.
  • Social engineers may intimidate by posing as angry customers or exploit personal events for targeted attacks.

Phishing and Vishing

  • Phishing is a social engineering attack that uses spoofed emails or websites to steal credentials.
  • Attackers might use fake login pages with subtle errors, such as incorrect logos, to trick users.
  • Vishing (voice phishing) uses phone calls with spoofed numbers to request sensitive information, often impersonating trusted organizations.

Shoulder Surfing

  • Shoulder surfing is gaining private information by viewing someone's screen without permission.
  • Attackers may casually observe screens in public places or use tools like binoculars, malware, or cameras.
  • Prevent shoulder surfing by positioning screens, using privacy filters, and staying aware of surroundings.

Spear Phishing and Whaling

  • Spear phishing targets specific individuals with personalized attacks, often those with financial access.
  • Whaling is spear phishing directed at high-level executives with extensive access to sensitive information.

Tailgating and Piggybacking

  • Tailgating is unauthorized entry by following authorized personnel through secure doors.
  • Piggybacking involves an authorized person knowingly allowing another through a secure entry, often under pretext.
  • Organizations should enforce policies to challenge unbadged individuals and restrict access.

Impersonation and Dumpster Diving

  • Impersonation involves attackers pretending to be staff or trusted contacts to obtain restricted information.
  • Dumpster diving is searching through trash for valuable company information to aid social engineering.

Wireless Evil Twin Attack

  • Attackers set up rogue wireless access points with similar SSIDs to legitimate ones, tricking users into connecting.
  • Evil twins can overwhelm real networks, especially if no encryption is used.

Key Terms & Definitions

  • Social Engineering β€” manipulating people into divulging confidential information.
  • Phishing β€” fraudulent attempts to obtain sensitive data via email or fake websites.
  • Vishing β€” phishing attacks conducted over the phone.
  • Shoulder Surfing β€” stealing information by watching someone’s screen.
  • Spear Phishing β€” targeted phishing at specific individuals.
  • Whaling β€” spear phishing aimed at executives.
  • Tailgating β€” unauthorized entry by following someone into a secure area.
  • Piggybacking β€” being allowed into a secure area by an authorized person.
  • Impersonation β€” pretending to be someone else to gain access or information.
  • Dumpster Diving β€” retrieving confidential information from trash.
  • Evil Twin Attack β€” setting up a fake wireless access point to intercept data.

Action Items / Next Steps

  • Review company policies on visitor management and badge enforcement.
  • Consider installing privacy filters on devices used in public or shared spaces.
  • Always verify website URLs and be cautious of unusual login requests.
  • Use encrypted connections (VPNs) when connecting to wireless networks, especially in public areas.

Full transcript