๐Ÿง  Social Engineering Lab

Understand how attackers exploit human psychology โ€” and how to defend against it

CHAPTER 01

Phishing Attacks

High Risk
  • Spear Phishing โ€” Targeted attacks crafted for a specific individual or organisation, using personal details (name, role, colleagues) harvested from LinkedIn or social media to appear legitimate.
  • Whaling โ€” Spear phishing aimed at C-suite executives (CEO, CFO). Attackers impersonate board members, legal teams, or tax authorities to authorise wire transfers.
  • Smishing & Vishing โ€” SMS-based and voice-call-based phishing. Smishing sends malicious links via text; vishing uses phone calls to extract credentials, OTPs, or payment details.
  • Clone Phishing โ€” A legitimate previously delivered email is duplicated with a malicious link or attachment and re-sent, exploiting the recipient's familiarity with the original.
  • Adversary-in-the-Middle (AiTM) โ€” Real-time phishing proxy that intercepts MFA tokens by relaying traffic between victim and real site, bypassing TOTP-based 2FA.
โš ๏ธ Red Flags: Urgency or fear language ("Your account will be suspended"), misspelled domains (paypa1.com), unexpected attachments (.exe, .iso), requests to bypass normal approval channels.
โœ… Defence: DMARC/DKIM/SPF enforcement, anti-phishing browser extensions, security awareness training, hardware security keys (FIDO2) which are not phish-able.

Real-World Example

In 2023, MGM Resorts was breached after attackers called the IT help desk, impersonated an employee (details found on LinkedIn), and convinced staff to reset MFA โ€” causing $100M+ in disruption.

CHAPTER 02

Pretexting & Impersonation

Mediumโ€“High
  • What is Pretexting? โ€” Creating a fabricated scenario (pretext) to manipulate a target into divulging information. Unlike phishing, pretexting often involves multi-step relationship-building over days or weeks.
  • Authority Impersonation โ€” Posing as IT support, bank auditors, government officials, or law enforcement to pressure compliance. People are conditioned to obey authority figures.
  • Vendor / Supplier Fraud โ€” Attackers impersonate a known supplier, claiming a bank account change, then redirect invoice payments. Often called Business Email Compromise (BEC).
  • Romance Scams / Pig Butchering โ€” Long-term identity fabrication to build emotional trust before extracting money or credentials. Pig butchering adds a fake investment component.
๐ŸŸ  Psychological Levers Used:
Authority Urgency Reciprocity Liking & Trust Scarcity Social Proof Fear

FAQ

How do I verify someone's identity over the phone? โ€บ
Never rely on caller ID โ€” it can be spoofed. Hang up and call back using an official number from your company's internal directory or the organisation's public website. For sensitive requests, always require written authorisation via a second channel.
What is a "dual authorisation" control? โ€บ
Dual authorisation (also called "four-eyes principle") requires two separate people to approve high-value or sensitive actions โ€” like wire transfers or admin-account resets. This makes impersonation attacks far less effective since the attacker must compromise two people simultaneously.

CHAPTER 03

Physical & Environmental Attacks

Physical Layer
  • Baiting โ€” Leaving infected USB drives in car parks, lobbies, or conference rooms labelled "Payroll Q3" or "Confidential". Curiosity or greed lures the victim into plugging it in.
  • Tailgating / Piggybacking โ€” Physically following an authorised person through a secured door. Often assisted by carrying heavy boxes to invoke courtesy, or wearing a high-vis vest to appear like maintenance staff.
  • Shoulder Surfing โ€” Observing someone's screen or keyboard in public spaces (cafรฉs, airports, trains) to capture passwords, PINs, or sensitive data.
  • Dumpster Diving โ€” Searching discarded documents for account numbers, org charts, memos, or credentials. Pre-shredding all documents significantly reduces this risk.
๐Ÿ›‘ Never plug in unknown USB devices. Even if found in the company car park, it could be a rubber ducky (HID attack device) that runs keystrokes in milliseconds upon insertion.
โœ… Countermeasures: Disable USB auto-run via group policy, install physical mantrapportals for high-security areas, implement visitor management systems, conduct "drop test" drills to measure USB pickup rates.

CHAPTER 04

Digital OSINT & Social Media Exploitation

Recon Phase
  • Open Source Intelligence (OSINT) โ€” Attackers use publicly available info (LinkedIn org charts, Twitter/X posts, GitHub commit emails, WHOIS records) to build detailed profiles for targeted attacks.
  • Security Question Harvesting โ€” "Your first pet?", "Your mother's maiden name?" โ€” answers to these are often shared publicly on social media. Avoid real answers; treat them like passwords.
  • Account Takeover via Social Engineering Carriers โ€” Convincing a mobile carrier to port your number to a new SIM (SIM swapping), then resetting email/bank accounts via SMS OTP.
  • Fake LinkedIn Recruiters โ€” Attackers create convincing recruiter profiles, offer jobs, then send malicious documents disguised as NDAs or interview assessments (especially targeting crypto/finance employees).
๐ŸŸ  Your Digital Footprint Checklist:
  • Google your full name + city regularly
  • Review LinkedIn privacy settings โ€” hide "connections"
  • Use a PIN lock on your mobile carrier account
  • Never reuse the same profile photo across platforms
  • Disable "people you may know" and location metadata on posts