Last time I wrote about Social Engineering principles. Principles have to be leveraged by techniques. This article will introduce them and explain what each method means.

Phishing

It’s a technique where information is obtained by social engineers fraudulently. They are interested in usernames, passwords, credit card information. One of the real examples of phishing is with the PostNord service in Denmark. Some people pretend they represent PostNord and ask to enter information on a fake website. I get many fake SMS or emails saying that my package arrived, but I need to enter more information. 

The above technique is called smishing, but there is also vishing when a scam is made via telephone. 

There is also spear phishing that targets specific individuals or groups—whaling targets senior employees like CFO. or CTO.

The most potent remedy against these types of techniques is awareness and education.

Credential Harvesting

A process of gathering credentials on mass. The result of a system compromise. The credentials, in this case, are usernames, passwords. Harvested data is used to leverage further attacks. The most potent remedy against these types of techniques is MFA.

Website attacks

Phishing attacks against websites exist. The Pharming technique redirects traffic towards a malicious version of it. However, the attacker has to attack the DNS server or change DNS settings for this to work.

Typo-squatting relies on the fact that people tend to mistype the website URL. For example, if you type www.amazonn.com, it will redirect you back to www.amazon.com. Amazon knows about it, so they take proactive steps to mitigate this by buying a bunch of domains related to Amazon.

Spam

We all know what spam emails mean—thousands of emails selling you Viagra pills. The letters are very persuasive. They use social engineering tricks to make you click that link. Social engineers and other nefarious actors send you thousands of letters in hopes of you giving up to temptation. Sometimes it works!

The techniques I wrote above are related to the technical side of social engineering. There are also in-person techniques, but that’s for another time!