What is Social Engineering?

"The weakest link in any security system is the human." Social engineering bypasses all technical security by simply asking for access—and being convincing enough to get it.

Core Principles Exploited

Authority

• Impersonating IT, executives, police
• People comply with authority figures
• "I'm calling from Microsoft support"

Urgency

• Create time pressure
• Prevent victim from thinking
• "This must be resolved immediately"

Reciprocity

• Do a favor, expect one in return
• "I helped you, now help me"
• Gift giving before request

Social Proof

• "Everyone else has provided this"
• "Your colleagues already approved"
• Following the crowd

Liking

• Build rapport
• Find common ground
• Attractive people get more compliance

Common Techniques

Pretexting

• Create false scenario
• "I'm from the bank fraud department"
• Detailed backstory for credibility

Baiting

• Offer something enticing
• Infected USB drives in parking lot
• "Free movie download"

Tailgating/Piggybacking

• Follow authorized person into building
• Hold door open for "coworker with hands full"
• Physical security bypass

Quid Pro Quo

• Exchange of services
• "Free tech support" that installs malware
• "Security audit" that extracts credentials

Vishing (Voice Phishing)

• Phone-based social engineering
• Impersonating technical support
• Extracting passwords over phone

Defense Strategies

Individual

• Verify identity independently
• Don't be afraid to say no
• Take time with unusual requests
• Trust your instincts

Organizational

• Security awareness training
• Verification procedures
• Clear escalation paths
• Culture of questioning

Real-World Example

Kevin Mitnick's techniques:

1. Research target company
2. Learn internal jargon and names
3. Call posing as IT
4. Reference real people/projects
5. Request password "for emergency fix"
6. Gain access without any hacking