Who would you trust?

Which of these people could be a hacker in disguise?

Manipulating people into giving up confidential information.

Social Engineering

"Amateurs hack systems. Professionals hack people."

• Cheaper and faster than hacking code

• Exploits human trust and curiosity

Why Hackers Use It?

They Work :(

According to Verizon’s 2023 Data Breach Report, 74% of breaches involved a human element.

Further emphasizing the susceptibility of individuals to cyber threats, the 2023 Gone Phishing Tournament, which tested over 1.3 million users, found that one in 10 employees fall for phishing scams.

Phishing

Phishing emails make up a vast percentage of cyberattacks. About 3.4 phishing emails are sent every day, making it one of the most-used attack mechanisms. In phishing, the attacker uses a false scenario or an impersonated identity to extract sensitive information or money from their target. The attackers may target a specific individual or use the person as an entry point into an entire organization. The goal of these attacks is to extract login details, transaction information, credit card numbers, and other sensitive information.

Quick phishing checklist: is this email a scam?

Sender clues

Is it from a public domain (e.g. @gmail.com) but pretending to be from a company?

Is the domain slightly misspelled (e.g. amaz0n.com)?

Does it differ from how that organisation normally emails you?

Content and tone

Are there spelling or grammatical errors?

Does it urge immediate action (e.g. “Act now”, “Your account will be closed”)?

Is the tone inconsistent with the sender’s usual communication style?

​If you can answer ‘yes’ to any of these questions, do not click and always verify through a known, trusted contact method.

Links and attachments

Does the link URL differ from the anchor text?

Is there an unexpected attachment?

Are the call-to-action buttons vague (e.g. “Click here”, “Log in now”)?

Security pressure

Does it ask for personal information or passwords?

Are you asked to bypass company protocols?

Does it threaten negative consequences if you don’t comply?

Target Breach (2013): Attackers phished a HVAC vendor.

​​Target

The Twitter Hack (2020): Teens used social engineering to access VIP accounts.

​​Twitter

Multiple Types of Phishing

• Spear phishing: In spear phishing attacks, rather than sending bulk emails to multiple recipients, the threat actor selects someone specific and targets them. Because these attacks involve more effort, they mostly target someone higher up in the organization.

• Whaling: Whaling, also known as CEO fraud, refers to a type of phishing in which attackers go after the “big fish”. Threat actors impersonate these high-profile employees' identities or take over their accounts and communicate with other employees in their company.

• Vishing: Vishing refers to voice-based phishing attacks. These attacks most commonly occur through phone calls by impersonating the identities of bank officials, government authorities, or, in the case of an organization, someone from the finance or HR team.

• Smishing: Attackers reach their targets through SMS messages. SMS usually isn’t regulated or scanned for spam by most carriers. This provides an enticing entry point for threat actors. They create attacks that lure recipients into taking action. Some might create scenarios such as job offers, gift offers, free vacations,etc. to make their targets take action.

Pretexting

Pretexting is a social engineering technique where an attacker creates a false narrative or scenario—a "pretext"—to trick someone into divulging sensitive information, granting access, or taking a desired action. Attackers often impersonate a trusted authority, such as an IT technician or a manager, and use psychological tactics, research, and even AI-generated deepfakes to build rapport and justify their urgent or suspicious requests.

Pretexting... IRL




Stupid system won't let me embed :(

If Hacking in Movies Was Realistic

Baiting

Baiting is a variant of social engineering where the perpetrator lures the victim with attractive offers or rewards.

A typical example is an online ad offering free software leading to the victim introducing malware or a financial offering enticing them to complete an “urgent” task. Like many cyber threats, baiting relies heavily on urgency and scarcity. The promised product is almost sold out, or the requested task must be executed immediately to claim the reward.

Tailgating is when someone tries to enter a space that is off-limits to them. The most common kind of tailgating attack involves sneaking into a prohibited place behind a person who is authorized to enter. This is often accomplished by closely following them as they enter a building.

Tailgaiting

Quid Pro Quo Attack

A quid pro quo attack is a deceptive tactic employed by cybercriminals to trick individuals into providing sensitive information, granting system access, or taking specific actions under the false pretense of receiving something beneficial in return.

According to the FBI’s Internet Crime Report 2023, tech support scams – one of the most common types of quid pro quo scams – grew in number for the third year in a row. Even more concerning, it was the third costliest cybercrime in 2023, resulting in over $900 million in losses.

A fraudulent technique where an attacker disguises their identity by falsifying data to appear as a trusted source, such as a legitimate company or known individual, to trick victims into providing sensitive information, installing malware, or taking other actions beneficial to the attacker.

Spoofing

A honeypot in cybersecurity is a decoy system, server, or data designed to lure attackers away from real assets, tricking them into engaging with a fake, vulnerable environment to learn their methods, tools, and motives, thereby strengthening the organization's overall security posture and providing early warnings of threats

Honeypot

Watering hole attacks are those in which
cybercriminals infect a website that people
often visit with malicious code. In these
attacks, criminals bank on the possibility
that their targets may make a typo while
entering a web address. Therefore, they buy
lookalike domains of legitimate brands and
phish for the information people enter or input malicious executable files in place of legitimate file downloads. While these attacks often focus on lookalike domain names, threat actors even manage to take control of the original domain, exponentially increasing the damage.

Watering Hole

Deepfakes

While social engineering attacks have been widely successful, the prevalence of AI has made it easy to create convincing scenarios that can imitate other people. Using deepfakes, threat actors manipulate the voice or even take over the image of a prominent individual and send messages to their targets. These attacks are an increasingly dangerous threat because of the deep research and proficiency the attackers use to create them.

Is this all...

Probably not, these are 10 of the most common, but because the humans in an organization are often the weakest link, they are also the most targeted, and the scammers are always looking for new ways to attack this weakness.