Cyber Awareness Training

What is Social Engineering?

Social engineering is a **psychological manipulation** technique used by cybercriminals to trick individuals into revealing sensitive information, such as passwords, bank details, or security credentials.

Unlike traditional cyberattacks that rely on technical exploits, social engineering **targets human psychology**, exploiting trust, fear, or urgency to deceive victims.

🚨 Example: A hacker pretending to be an IT technician calls an employee, asking for their login credentials to "fix an issue." Believing it's legitimate, the employee hands over their detailsβ€”granting full system access to the attacker.

Common Types of Social Engineering Attacks

Phishing Attacks

Phishing is a cyber attack where attackers impersonate **trusted organizations** (banks, IT teams, government agencies) to steal **login credentials, financial details, or personal data**.

πŸ“Œ How Phishing Works

  1. πŸ“ The attacker **sends an email** disguised as a legitimate entity (e.g., PayPal, Microsoft).
  2. πŸ”— The email contains **a fake link** leading to a fraudulent login page.
  3. πŸ“© The victim **enters their credentials**, unknowingly sending them to the attacker.
  4. 🚨 The attacker **gains access** to the victim's accounts and may use or sell the information.

⚠️ Real-World Example: Microsoft 365 Credential Theft (2020)

Cybercriminals used fake Microsoft 365 emails to trick employees into **resetting their passwords** on a **phishing website**. Thousands of accounts were compromised, leading to **corporate data breaches**.

πŸ›‘οΈ How to Identify & Prevent Phishing

  • βœ” **Check the sender email** – Look for misspelled domains (e.g., support@mΓ­crosoft.com instead of **microsoft.com**).
  • βœ” **Hover over links before clicking** – Verify if they match the legitimate website.
  • βœ” **Avoid urgent requests** – Phishing emails often pressure users into immediate action.
  • βœ” **Use Multi-Factor Authentication (MFA)** – Prevents account takeovers even if credentials are stolen.

πŸ”— View real phishing email examples β†’

Vishing (Voice Phishing)

Vishing (voice phishing) is a **fraudulent phone call** scam where attackers impersonate IT support, banks, or government agencies to extract **login credentials, financial details, or security codes**.

πŸ“Œ How Vishing Works

  1. πŸ“ž The attacker **calls the victim**, pretending to be an IT technician, police officer, or bank representative.
  2. ⚠️ They create a sense of urgency ("Your account has been compromised! Act now!").
  3. πŸ”‘ The victim is tricked into providing **login credentials, PIN codes, or personal data**.
  4. πŸ’³ The attacker **accesses bank accounts or systems** to steal money or sensitive data.

⚠️ Real-World Example: IRS Tax Scam (2019)

Fraudsters impersonating IRS agents **called U.S. taxpayers**, claiming they owed unpaid taxes and threatened arrest if immediate payment wasn't made. Many victims paid using **gift cards or wire transfers**, losing **millions of dollars**.

πŸ›‘οΈ How to Identify & Prevent Vishing

  • βœ” **Verify caller identities** – Hang up and call back using the official company number.
  • βœ” **Never share personal details over the phone** – Legitimate companies won’t ask for full credentials.
  • βœ” **Ignore calls that demand urgency** – Scammers use fear tactics to pressure victims.
  • βœ” **Register your phone number with "Do Not Call" lists** – Reduces scam calls.

Smishing (SMS Phishing)

Smishing is a **social engineering attack via SMS (text messages)**, tricking victims into **clicking malicious links, installing malware, or sharing credentials**.

πŸ“Œ How Smishing Works

  1. πŸ“² The victim receives a text message **claiming to be from a bank, courier, or tech company**.
  2. πŸ”— The message contains a link to a **fake website or malware download**.
  3. 🚨 The victim enters credentials, unknowingly giving them to an attacker.
  4. πŸ“‚ The attacker **uses the stolen data to access accounts or commit fraud**.

⚠️ Real-World Example: Delivery Scam (2021)

Attackers sent fake **"Your package has arrived"** messages pretending to be from DHL and FedEx. Victims entered personal details on a **phishing website**, leading to identity theft.

πŸ›‘οΈ How to Identify & Prevent Smishing

  • βœ” **Do not click on links from unknown numbers**.
  • βœ” **Verify messages by contacting the company directly**.
  • βœ” **Use spam filters** to detect suspicious texts.
  • βœ” **Be cautious of messages with urgent requests** (e.g., "Your account will be deactivated!").

Baiting

Baiting involves **offering victims something desirable (e.g., free software, USB devices, or giveaways)** to trick them into downloading malware or revealing personal data.

πŸ“Œ How Baiting Works

  1. πŸ“‚ The attacker **leaves infected USB drives in public places** (offices, parking lots, airports).
  2. πŸ’Ύ A victim **plugs the USB into their computer**, out of curiosity.
  3. 🐍 The malware **installs automatically**, giving attackers control over the system.

⚠️ Real-World Example: Stuxnet USB Attack

The infamous **Stuxnet malware (2010)** was **spread via infected USB drives**, compromising Iran’s nuclear facilities.

πŸ›‘οΈ How to Identify & Prevent Baiting

  • βœ” **Never plug unknown USBs into your device**.
  • βœ” **Use endpoint security tools** to block unauthorized external devices.
  • βœ” **Train employees to recognize baiting tactics**.

Real-World Social Engineering Attacks

How to Protect Yourself from Social Engineering

Social Engineering Lifecycle

This diagram illustrates the different stages of a social engineering attack, from the initial approach to exploitation and execution.

Social Engineering Lifecycle Diagram

Understanding these stages can help recognize and prevent attacks before they succeed.