Lab - Explore Social Engineering Techniques
Participants: Min Han Soe & Luis Lovotrico
Objectives
Part 1: Explore Social Engineering Techniques Part 2: Create a Cybersecurity Awareness Poster
Introduction
Cybersecurity is critical because it involves protecting unauthorized access to sensitive data, personally
identifiable information (PII), protected health information (PHI), personal information, intellectual property (IP),
and sensitive systems. Social engineering is a broad range of malicious activities accomplished by
psychologically manipulating people into performing actions or divulging confidential information. In this lab, you
will explore social engineering techniques, sometimes called human hacking, which is a broad category for
different types of attacks.
Required Resources
= PC or mobile device with internet access
Background / Scenario
Recent research reveals the most common types of cyberattacks are becoming more sophisticated, and the
attack targets are growing. The purpose of an attack is to steal information, disable systems or critical services,
disrupt systems, activities, and operations. Some attacks are designed to destroy information or information
systems, maliciously control a computing environment or its infrastructure, or destroy the integrity of data and/or
information systems. One of the most effective ways an attacker can gain access to an organization’s network
is through simple deception. In the cybersecurity world this is call social engineering.
Social Engineering Attacks
Social engineering attacks are very effective because people want to trust other people and social engineering
attacks are not the kind of attack that the average user guards against; users are concerned with botnets,
identity theft or ransomware. These are big external threats, so they do not think to question what seems to be
a legitimate-looking message.
Baiting
Baiting relies on the curiosity or greed of the victim. What distinguishes baiting from other types of social
engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free
music or movie downloads if the users surrender their login credentials to a certain site. Baiting attacks are not
restricted to online schemes. Attackers can exploit human curiosity with physical media like USB drives.
Shoulder Surfing
Shoulder surfing is literally looking over someone's shoulder to get information. Shoulder surfing is an effective
way to get information in crowded places because it is relatively easy to stand next to someone and watch as
they fill out a form or enter a PIN number at an ATM machine. Shoulder surfing can also be done long distance
with the aid of modern cell phones, binoculars, or other vision-enhancing devices. To prevent shoulder surfing,
experts recommend that you shield paperwork or your keypad from view by using your body or cupping your
hand. There are even screen shields that make shoulder surfing much more difficult.
ã 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4 www.netacad.com
�Lab - Explore Social Engineering Techniques
Pretexting
Pretexting is using deception to create a scenario to convince victims to divulge information they should not
divulge. Pretexting is often used against organizations that retain client data, such as financial data, credit card
numbers, utilities account numbers, and other sensitive information. Pretexters often request information from
individuals in an organization by impersonating a supervisor, helpdesk clerk, or client, usually by phone, email,
or text.
Phishing, spear phishing, and whaling attacks
In phishing attacks, the attackers try to obtain personal information or data, like username, password, and credit
card details, by disguising themselves as trustworthy entities. Phishing is mainly conducted through emails and
phone calls. Spear phishing is more targeted version of the phishing, in which an attacker chooses specific
individuals or enterprises and then customizes their phishing attack to their victims to make it less conspicuous.
Whaling is when the specific target is a high-profile employee such as a CEO or CFO.
Scareware and ransomware
Ransomware attacks involve injecting malware that encrypts a victim’s critical data. The cyber criminals request
a ransom to be paid to decrypt the data. However, even if a ransom is paid, there is no guarantee the cyber
criminals will decrypt the information. Ransomware is one of the fastest growing types of cyberattack and has
affected thousands of financial organizations, government agencies, healthcare facilities, even schools and our
education systems.
Scareware takes advantage of a user’s fear by coaxing them into installing fake antivirus software.
Tailgating
Tailgating tricks the victim into helping the attacker gain unauthorized access into the organization’s physical
facilities. The attacker seeks entry into a restricted area where access is controlled by software-based electronic
devices or human guards. Tailgating can also involve the attacker following an employee closely to pass through
a locked door before the door locks behind the employee.
Dumpster diving
In the world of social engineering, dumpster diving is a technique used to retrieve discarded information thrown
in the trash to carry out an attack on a person or organization. Dumpster diving is not limited to searching
through the trash for obvious treasures like access codes or passwords written down on sticky notes, it can also
involve electronic information left on desktops, or stored on USB drives.
Instructions
Part 1: Explore Social Engineering Techniques
Step 1: Explore Baiting, Shoulder Surfing, and Pretexting.
The National Support Center for Systems Security and Information Assurance (CSSIA) hosts a Social
Engineering Interactive activity. The current link to the site is https://www.cssia.org/social_engineering/.
However, if the link changes, try searching for "CSSIA Social Engineering Interactive".
Click Next in the interactive activity, and then use the content to answer the following questions.
Questions:
a. What is baiting? Did you click on the USB drive? What happened to the victim’s system?
Baiting is a ty pe of so cial e ngineering where the user’s interest is piqued to trick him to do something
that will infect his system. In the example we found on t he websi te, t he us er pic ks up a USB dr ive
wh ich he inse rts in his PC and therefore ends up infecting his compu ter w ith malwa re.
b. What is Shoulder Surfing? What device was used to perform the shoulder surfing? What information was
gained?
ã 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 4 www.netacad.com
�Lab - Explore Social Engineering Techniques
Shoulder surfing refers to the action of looking over someone’s shoulder as he is inserting sensitive
information suc h a s usernam e or passwo rd . In the exam pl e, w e see a w oman us ing her ce llphone
camera to obtain the person’s login name and pa ssword. your answers here.
c. What is Pretexting? What type of information did the cybercriminal request? Would you fall victim?
Pretexting is an action where a malicious actor impersonates a figure of authority to obtain sensible
information from someone else. In the example, the cybercriminal requested name, title, office and
employee badge number. I don’t think I would fall victim to a generic case of pretexting as my general
tendency is to not give information over the phone. However, the situation might be different for a very
targeted case where I’m expecting a phone call for a particular thing from an authority.
Step 2: Explore Phishing/Spear Phishing and Whaling
Phishing is designed to get victims to click on links to malicious websites, open attachments that contain
malware, or reveal sensitive information. Use the interactive activity to explore different phishing techniques.
Questions:
a. In this phishing example, what is the ploy the attacker uses to trick the victim to visit the trap website? What
is the trap website used to do?
In this phishing example, the attacker uses a fake email that imitates the look of a real email from the bank
to trick the victim to click on the link that direct the victim to the fake login page. The objective of the trap
website is to get the victim’s login credentials.
b. What is the difference between phishing and spear phishing or whaling?
The main difference is that phishing attacks are generally broad and not specifically tailored to the target
and their position in the company. Conversely, spear phishing or whaling targets specific high-profile
individuals, mainly C-level executives, and tailors the attack to the victim.
Step 3: Explore Scareware and Ransomware
Scareware is when victims are deceived into thinking that their system is infected with malware and receive
false alarms prompting them to install software that is not needed or is itself malware. Ransomware is a type of
malware that threatens to publish the victim's data or encrypts the victim’s data preventing access or the ability
to use the data. Victims are prevented from accessing their system or personal files until they make a ransom
payment to regain access.
Questions:
a. What data does the attacker claim to have in this example? Would you fall for this deception?
In this example, the attacker claims to have infected the victim’s computer with a virus and spyware and
that he stole the user’s Facebook Login, Credit Card Details and Email Account Login. I probably would not fall
for this deception if I were confident with the security and firewalls I have on my system.
b. What is the attacker requesting the victim do to get the data back?
The attacker is requesting the victim to make a ransom payment in order to give him the access to their
data back.
c. What is tailgating?
This is a situation which occurs when an attacker who doesn’t have authorization to enter a particular place
follows someone who does..
d. Give three ways to prevent social engineering attacks.
1) Being skeptical about things: not easily trusting the emails of unknown senders, always checking links
before clicking and sanitizing USB drives before plugging them into the PC.
2) Raising awareness about the vulnerabilities and the different techniques os social engineering attacks.
3) Testing out possible scenarios of attacks to see how well you perform against them and to which you
are more prone to succumbing.
Type your answers here.
ã 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 4 www.netacad.com
�Lab - Explore Social Engineering Techniques
Part 2: Create a Cybersecurity Awareness Poster
a. Use Powerpoint to create a poster that will make others aware of the different social engineering techniques
used to gain unauthorized access to an organization or the organization’s data.
Pick from: Baiting, Shoulder Surfing, Pretexting, Phishing, Scareware, Ransomware, Tailgating or Dumpster
Diving.
b. The poster should depict the techniques used and how users can avoid one of these social engineering
attacks. Also include directions on where the poster should be placed within the organization.
The poster should be placed in public spaces such as the bulletin board or near the usual meeting spots
within the office. This way the people frequently see the poster and are reminded of it. Moreover, it might be a
good idea to shift the places where they are located, as well as its design, so the employees’ attention is raised
in time and the message is reinforced.
ã 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 4 www.netacad.com
