Security Through Education

A free learning resource from Social-Engineer, Inc

Home

The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

General Discussion

Select a topic from the index below

Why Attackers Might Use Social Engineering

Attackers might use social engineering because it consistently works. There is no patch for an untrained user or even an experienced security professional who forgets, in the heat of the moment, to follow what they have been taught.

Social Engineering is the Path of Least Resistance

Social engineering is the path of least resistance. A malicious actor knows it could take hours, weeks, or even months to successfully brute force his way into a network to steal credentials. However, with social engineering tactics, such as the right pretext and a phone call or email, those same credentials can be stolen in just a matter of minutes. An attacker might try to gain physical access to a company’s network computers as well. To accomplish this an attacker might impersonate a delivery man, construction worker, or tech support. Sifting through open source information, dumpster diving, or talking with a disgruntled employee, may yield information that is used to gain illegal access. Once the attacker is inside, a common USB thumb drive is all that’s needed to infect a computer, gaining access to the network. The role played by social engineering becomes greater as software products become more secure and harder to crack. In order to develop a plan to protect from such attacks you must understand what tactics a social engineer will use, how they will use them, and what methodology they will employ in their attack cycle.

Social Engineering Attacks On The Rise

Over the past several years, the incidents of social engineering tactics used in cases of fraud and data breaches have continued to increase. Reports released by industry leaders such as Agari, Symantec, and Verizon Enterprises indicate that social engineering tactics (phishing, vishing, and impersonation) are being used in conjunction with digital hacking methods to make attacks more effective and inevitability more profitable for the attackers. According to the 2017 Verizon Data Breach Report, 43% of all documented breaches involved social engineering attacks.

Why attackers might use social engineering
2017 Verizon Data Breach Report

Phishing Examples
City treasurer was victim of a phishing scam, transferred $100K to phoney supplier
‘Easier Than Robbing A Bank:’ City of Chicago Almost Lost More Than $1 Million In #Phishing Scam
The Nasty List #Phishing Scam is Sweeping Through Instagram

Vishing Examples
Victims losing an average of $164K to scam that targets Chinese Americans
24 Charged In Medical Supply Phone Scam Costing Medicare $1.2 Billion
Mumbai garment shop owner duped of ₹30K

Impersonation Examples
Man Posing as Construction Worker Steals $15K in Laptops at Memorial Sloan Kettering
Oklahoma Walmart Robbed by Man Posing as Armored Car Employee
Man Impersonates Pest Control Worker to Enter Commercial Building 

Social Engineering — a Common Element of Malicious Attackers

It is notable to mention that social engineering is becoming a common element of malicious attackers. As this framework will outline, the malicious social engineer will have many tools in their arsenal and many attack vectors at their fingertips. Attackers know that most of the time an employee either doesn’t realize they are doing something wrong; or doesn’t understand the value of the information they are disclosing. It is this naivety that creates a perfect atmosphere for a breach. The only way to protect against these attacks, is to create a security-minded culture within your business or organization through continual education and training.