Social Engineering

From Embedded Lab Vienna for IoT & Security
Revision as of 21:57, 21 December 2021 by ORetzer (talk | contribs) (Prevention)
Jump to navigation Jump to search


This documentation contains information of what Social Engineering is, how it is getting used and how to prevent or mitigate some of those attacks.


In order to execute a social engineering attack you need to understand the basis of social engineering described below. There are also tools to understand and execute these attacks on a practical level. There are many pre-defined attacks which show how easy it is to perform such attacks. You can read more about that in Social Engineering Toolkit


Social Engineering is the art of collecting information with some kind of human relation. The goal of social engineering is to guide a person into a certain direction preferably in a volitional one. This leads into spying on someone's personal environment to achieve a definite goal e.g. manipulation of elections, retrieving information, stealing money and many more.


In Social Engineering there are a few necessary steps to complete an attack and gain the information you are after. These steps are categorized mainly in 4 phases: Information Gathering, Getting in Contact, Exploit the Attack Vector and Vanish Traceless.

Information Gathering

This is the most important part in an attack. This is the key element of success or failure in order of achieving your goal. It requires a lot of reseach and knowledge to know whom to pick as your target. It defines how easy or diffcult it will be. As an example it will be easier to target an elder person without any prior knowledge of internet and its dangers, rather than a more educated person with a better understanding of scam attacks. "Know your Enemy" by Sun Tzu, The Art of War cannot describe it clearer than that.

Getting in Contact

This step aims to message the vicitm in any kind of way. This is possible over common communication channel e.g. E-Mail, SMS, Facebook, WhatsApp, Telegram, Discord and so on. Than you have to establish a connection with the target and invent a believable story. You should create a certain mutual trust with the target and influence the victim on an emontiona level. This should help to lure out sensitive information of the vicitm. An example would be that you lost something very valuable and you are not able to pay it on time. This most likley would give you the information you want.

Exploit the Attack Vector

With all the information gathered from the previous phases you are now able to abuse the information and orchestrate your attack. How you attack your target is most often depened on the information you gained. Most of the time you try to gain access to an account and try to accomplish your objective.

Vanish Traceless

The last step concludes the attack and is the last time you should ever communicate with this person. This is very important because if you keep in contact you will probaly get chaught sooner or later. A recommended step is removing any trace that you have left like removing login emails, hide transaction, ... .


This part contains the most common and basic attacks used today. Nearly everyone should have seen such an attack in practice, either by e.g. receiving a pishing email or getting a warning that pishing emails are circulating with an example. If you have not, just check you Spam or Junk folder in you mailbox you will probably find one in there.


Phishing Attacks are one of the most common attacks. They are pretty simple and based on for example a real E-Mail that is being copied and used to get user data with links redirecting to a wrong website. This website looks than pretty similar to the original and if you do not look close enough you sometimes do not even realize that it is fake. The goal of this attack is in general to steal password from accounts and then try to steal money in any way possible.


This attack is similar to Phishing but the goal of this attack is to make you believe that you are being contacted by someone close or authoritative. These messages could lead you to send personal information to the attacker. If done right and other conversation were being caputred before and the phone number or E-Mail got spoofed you sometimes would not even realize that it is a fake.


Tailgaiting is an attack that requires physical access to a secure building. This is achieved by following people through doors or opening you the door by thinking you lost your access card. When done right you get access to a certain level where you could install malware on others PCs. Another ways would be to ask someone for their phone to make a call and then install malware when they are not watching.


Lately these attacks are getting more and more popular and seem unstoppable. Ransomware is a software that encrypts personal data and blackmails the vicitms to pay a lot of money to get their data. But the truth is you do not know if you even get your money back. The most known Ransomware are WannaCry and Locky.

Dumpster Diving

This technique is as the name already tells used to get information out of the trash of others. A letter with sensitive infomation e.g. bank, creditcard or hard drives can contain a lot of data that can be used against you if not disposed properly. A good tip would be throw away pieces of information in different trash cans for example when on the way to work.

Pop-Up Window

Pop-Up Windows are often used to scare non enlightened people to get tricked by a simple window mostly in a browser. This scam either wants you to redeem the jackpot you just won or tell you that you computer is infected and you should call the attacker to infect you with malware. Most of the times these windows are hard to close and are pretty loud to intimiated the victim.


This approach is similar to the goal of Pishing but is done quite differently. The task is to lure the vicitm on to a similar looking website e.g. bank, insurance, ... but it is not done with sending you fake links but rather hacking the DNS Server and redirecting you instantly without you even knowing. If the website is done very well your data is being apprehend and afterwards you are getting redirect onto your real bank account without you ever knowing.

USB Drop

Since USB Stick became more and more demanding a way of attacking people was found. This attack is done by randomly scattering USB Sticks arround and hopefully a vicitim picks it up and takes it home. Instead of celebration a free USB Stock you are getting infected with any kind of malware. A practical ways of deploying malware on a USB is defined in Bash Bunny Exploits


As attacks increase and improve it is very hard to defend against those if you do not know how they work and what they do. To prevent or mitigate such attacks you need 3 important informations.

Clarify Attacks

The first part help you to understand how and what these attacks are trying to do. If you know what a Pop-Up Window is and you now know that these messages are spam and trying to lure you into a trap you will not fall for it anymore. The best way is know examples of the most common attacks to obtainer awareness againts those social engineering attacks. Since these attacks improve over time you should be up-to-date and you should ask people you trust for help if you do not know how to proceed.

Set Security Standards

You should start setting yourself a certain security standard. This goes from checking certain programs or files you do not know to check links before you click them. If you have a new contact in your mailbox you should double check the sender to know for you sure you are not dealing with a scam artist. You should also never share you PC with other or plug-in strange devices you do not know. An increased awareness about pishing emails from providers would be appreciative to check bills if they are not infected with malware.

Implement Security Tools

Since detecting malware is getting more difficult everytime you should start using certain tools to help you secure you environment. These tools will help you to detect unwanted programs and helps you safeing your data externally.