Hacking For Dummies
Book image
Explore Book Buy On Amazon
Social engineering from a security standpoint refers to the deliberate use of deception to try to trick a user into compromising system security through social contact such as an email message, a text message, or a phone call. Social engineering attacks are a common way to test the effectiveness of a company’s security education program. If the engagement rules and scope of the penetration test support social engineering attacks, you should plan for them in the penetration test.

There are different types of social engineering attacks such as phishing, shoulder surfing, and USB key drop, among others. Take a look at the different types of social engineering.


Phishing is a type of social engineering attack that occurs when the hacker sends an email message to a user with the hope that the user will click on hyperlinks within the message. These hyperlinks link to malicious websites that collect information from the user. For example, a hacker may send an email message that appears to be from the user’s banking institution, and links within the message take the user to a site that looks like the bank’s site. Because the site looks familiar to the user, the user may then feel comfortable supplying his or her account information, not knowing it is a fake bank site. All the time this is going on, the hacker is collecting the information that is typed into the fake site.

phishing © MicroOne / Shutterstock.com

With a regular phishing attack, the hacker sends the email message to a pool of email addresses the hacker was able to discover without really any thought to who the email goes to. When you do a penetration test, you can do the same: collect a bunch of email addresses for the target organization and then email all of the addresses to see if someone goes to the fake site.

Phishing attacks occur in the following different forms:

  • Spear phishing: Refers to a phishing attack that targets a specific person
  • SMS phishing: Phishing attacks conducted through text messaging instead of email
  • Voice phishing: Phishing attacks that use voice over the phone instead of email
  • Whaling: Refers to a phishing attack that targets the “big fish” of a company, such as the CEO

For the PenTest+ certification exam, remember the different forms of phishing attacks. Also remember that the rules of engagement should identify whether social engineering attacks are allowed in the penetration test.

Shoulder surfing

Shoulder surfing is a traditional type of attack in which the hacker watches over the shoulder of the user to see what the user is typing on the computer or mobile device to obtain information.

USB key drop

Another type of social engineering attack common with penetration testing is a USB key drop. With a USB key drop, the pentester will leave USB flash drives all over the organization in hopes that an employee picks it up and plugs it into a computer to see what is on the drive. As a penetration tester, you will configure a script or application to automatically run when the drive is connected that will send an email message to you that includes information such as the IP address of the system the drive is connected to.

With USB key drop, you are able to find out the security awareness level of the organization. If you set out ten USB drives and you get eight email messages, it is obvious that the employees do not understand that they should not connect untrusted devices to their computers.

Another benefit of using a USB key drop with your penetration test is that you can use it to collect information such as IP addresses of hosts on the network. You can then use these IP addresses as IP addresses of potential targets.

Other forms of social engineering

In addition to the types of social engineering attacks discussed in the previous sections, social engineering attacks may also take the form of impersonation and interrogation. For example, a hacker (or pentester) could impersonate an administrator to try to trick the user into compromising security (for example, maybe the hacker convinces the user to change his or her password).

If social engineering attacks are in the scope of the assessment, you could try calling or emailing employees and impersonating the administrator to trick the employee into compromising security. You could also impersonate a user who contacts the administrator and see if the administrator can be tricked into helping you access the system.

In addition, interrogation is another form of social engineering attack specifically called out in the objectives of the CompTIA PenTest+ certification exam. When interviewing or interrogating people, a number of physical reactions to questions can be used to identify topic areas that should lead to more questioning. For example, when people start to feel stress, they usually start to touch their face a lot — watch for these visual cues during interviews and interrogation.

The key point to remember about social engineering is that your goal is elicitation. You would like to elicit a response or reaction from employees that cause them to compromise security. You could also use a business email compromise (BEC) attack where you gain access to an employee’s corporate email account and use that to send messages to other employees in the company.

Motivation techniques in social engineering attacks

What are some of the motivation techniques used in social engineering attacks that cause the attack to be successful? A common technique is to evoke a sense of urgency for the end user to click the link in an email message from the hacker. When social engineering attacks are sent out, the hacker usually stresses a sense of urgency to act now as a method to get the user to click the link or run the application without thinking about it too much.

Following is a list of motivational techniques often used by the hacker or penetration tester to get a user to compromise security:

  • Authority: The hacker or penetration tester pretends to be a person of authority requesting that the user perform an action. This action, such as clicking a link in an email message or changing a password, is enough to help the hacker gain access to the system.
  • Scarcity: The communication from the hacker or pentester typically implies a shortage in time or the chance of a prize in order to trick the person into acting now.
  • Social proof: The hacker or pentester relies on the concept that if users see others doing something, they feel it is the correct thing to do, so they do it too. For example, if everyone is downloading a certain program, a user may feel that it must be safe if everyone else is doing it.
  • Urgency: The hacker or pentester evokes a sense of the importance of a swift action in order to get users to act on the request.
  • Likeness: People respond well to people they like, and are, by nature, typically willing to help someone in need. If the attacker can appear to be in need and has a friendly demeanor, the victim may let his or her guard down and be more likely to respond to the social engineering attack.
  • Fear: The hacker or pentester uses fear to elicit a response from the user. For example, a hacker sends an email message telling the user that a security vulnerability was found in the system that gives someone full access to the system, and to remove this vulnerability, the user must install a “patch.” In reality the patch is the malicious software that allows the attacker into the system.

About This Article

This article can be found in the category: