Want to make creations as awesome as this one?


While technology has advanced significantly in terms of security measures, humans remain the weakest link in the security chain. Since most successful attacks start by attacking humans, it is important that we dedicate a module to this.

preface (1/2)

At the end of this module, you have reached the following goals: -What does social engineering mean? -What characteristics of humans ensure that social engineering attacks are and remain successful -What are the different phases of a social engineering attack? -What is an onsite social engineering attack? -What is an offsite social engineering attack?

Preface (2/2)

It is psychological manipulation to influence persons to disclose sensitive information… -disclose email addresses -disclose bank accounts -disclose passwords -...

What is Social Engineering?


In this movie you can see social engineer hacker Jessica Clark gains access to someone else's cell phone account through a simple phone call. She can even change the password. This all without one letter of code … https://youtu.be/BEHl2lAuWCk

An example of Social Engineering

https://www.verizon.com/business/resources/reports/dbir/ https://www.verizon.com/business/resources/reports/dbir/2022/summary-of-findings/

According to the 2022 Verizon Data Breach Investigations Report, 82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse.

Human factor in security incidents (1 / 2)

https://www.ibm.com/downloads/cas/ADLMYLAZ X-Force Threat Intelligence Index 2022 Page 16.

According to the 2022 IBM X-Force Threat Intelligence Index more than half of cyber-attacks exploited the weakest link, namely ‘users’.

Human factor in security incidents (2 / 2)

We can extend the OSI model with 3 layers, referring to the human factor. What is the function of each layer? Do some investigation and share…

The weakest link in IT is the human

Humans have a lot of emotions which can be misused, often emotions which have their origin in prehistoric times and are deeply rooted in our natural behavior.

  • Lazy
  • Curious
  • Fear
  • Greed
  • Polite and helpfulness
  • Solve something urgent
  • Guilt
  • Excitement

Why it works: Characteristics of humans

In successful social engineering attacks, these are typical phases: - Research phase - Hook phase - Play phase - Exit phase

phases in social engineering

onsite social engineering - impersonation (1/2)

No! This is!

Is this the bad guy?

How to prevent impersonation? - Make the employees at the reception aware of these dangers - Always ask people outside the organisation for authorization

onsite social engineering - impersonation (2/2)

- Looking over someone's shoulder to get information - Can be used to get information in crowded places - ATM - PIN code - Can also be done long distance with the aid of - modern cell phones - binoculars - vision-enhancing devices

onsite social engineering - shoulder surfing (1/2)

How to prevent against shoulder surfing?
  • Cover by hand while entering your PIN/password/…
  • Use strong passwords, long PIN codes,...
  • Use multi-factor authentication
  • Use biometric authentication
  • Don't verbalise sensitive information
  • Use a screen protector for public computers or laptops.
  • Lock your devices whenever you leave them

onsite social engineering - shoulder surfing (2/2)

what is dumpster diving?Searching through the trash for obvious treasures- access codes- passwords written down on sticky notesSeemingly innocent information, such as a phone list, calendar or organizational chart, can be used to assist an attacker using social engineering techniques to gain access to the network.The memory of the printer, the hard drive of an depreciated device can also contain some sensitive information…

onsite social engineering - dumpster diving (1/2)

How to prevent dumpster diving?
  • Have a documented equipment decommissioning process
  • Use the appropriate secure storage media deletion process
  • Have a data retention policy
  • Make shredding convenient
  • Educate employees
  • Secure trashes

onsite social engineering - dumpster diving (2/2)

How to prevent tailgating?
  • Hang a warning sign saying “no tailgating”
  • Smart cards
  • Security guards
  • Use Biometrics
  • Use Visitor badges
  • Building a security awareness
  • Technical solutions, like turnstiles which are created for individual

onsite social engineering - tailgating (2/2)

Ethical hacking process of gathering information about the target and its environment online
  • Registration details of the website, contact details.
  • Email harvesting,
  • Finding out the target IP address and determine network range
  • Identify active machine, DNS record, subdomains.
  • Operating system fingerprinting.
  • Finding login pages, sensitive directory
  • Find out any known vulnerability for that particular version.

onsite social engineering - footprinting (1/1)

What is phishing?
  • Attempt to obtain sensitive information via electronic communication.
What is mass phishing?
  • These attacks are widespread, non-personalized and try to catch any unsuspecting person.
What is Spear Phishing?
  • It uses personalised info to target particular users.

onsite social engineering - phishing (1/2)

How to prevent phishing?
  • Train your employees.
  • Create a hotline for phishing emails in your organisation, so you can block suspicious domains
  • Implement anti phishing solutions in the environment.

onsite social engineering - phishing (2/2)

https://chrome.google.com/webstore/detail/singlefile/mpiodijhokgodhhofbcjdecpffjipkle?hl=en https://www.youtube.com/watch?v=oVvTmcwxvmc&t=1s

Mimicking a website is easy if you can start from the real website. SingleFile is a Chrome extension that helps you to save a complete page (with CSS, images, fonts, frames, etc.) as a single HTML file.



The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly.

SET - The Social-Engineer Toolkit


To be successful with vishing, you have to come across as being an insider. One of the best ways to do that is to spoof the number you are calling from.



If you pick up shredded documents during a dumpster dive, you can use this software to help you piece them back together. This is a time-consuming process, but can be very fruitful if important documents are obtained and are strip shredded.


In Social Engineering, new techniques will also be used to mislead people
  • Photos generated by AI
  • Deep Fake
  • Voice simulation techniques

Evolution of social engineering (1 / 2)

DISCUSSION In social engineering, what do you think that can happen in the future when new techniques are used? Make groups of 4, discuss for 5 minutes, and tell the class what you think that can happen.

Evolution of social engineering (2 / 2)

You can protect your organisation against potential cyber attacks through all kinds of technological implementations. In addition, it is very important that you also protect the organisation against social engineering attacks. As an organisation you must be very aware that the starting point of attacks is often a human factor. Repeatedly pointing this out to employees and making them aware of this through awareness campaigns is therefore an important part of implementing security strategies.