Editing Social engineering (security) (section)

==Techniques and terms==
All social engineering techniques are based on exploitable weaknesses in human [[decision-making]] known as [[List of cognitive biases|cognitive biases]].<ref>Jaco, K: "CSEPS Course Workbook" (2004), unit 3, Jaco Security Publishing.</ref><ref>{{Cite journal|last=Kirdemir|first=Baris|date=2019|title=HOSTILE INFLUENCE AND EMERGING COGNITIVE THREATS IN CYBERSPACE|journal=Centre for Economics and Foreign Policy Studies|url=https://www.jstor.org/stable/resrep21052}}</ref> 

One example of social engineering is an individual who walks into a building and posts an official-looking announcement to the company bulletin that says the number for the help desk has changed. So, when employees call for help the individual asks them for their passwords and IDs thereby gaining the ability to access the company's private information.
Another example of social engineering would be that the hacker contacts the target on a [[social networking site]] and starts a conversation with the target. Gradually the hacker gains the trust of the target and then uses that trust to get access to sensitive information like password or bank account details.<ref>{{Cite journal|last=Hatfield|first=Joseph M|date=June 2019|title=Virtuous human hacking: The ethics of social engineering in penetration-testing|journal=Computers & Security|volume=83|pages=354–366|doi=10.1016/j.cose.2019.02.012|s2cid=86565713}}</ref>

===Pretexting===
{{Main|Pretexting}}
'''Pretexting''' (adj. '''pretextual'''), also known in the UK as '''blagging''',<ref name="b163">{{cite web | title=Fundamentals of cyber security | website=BBC Bitesize | date=19 March 2019 | url=https://www.bbc.co.uk/bitesize/guides/znnny4j/revision/4 | access-date=7 July 2024|archive-url=https://web.archive.org/web/20240707042547/https://www.bbc.co.uk/bitesize/guides/znnny4j/revision/4|archive-date=7 July 2024|url-status=live}}</ref> is the act of creating and using an invented scenario (the [[pretext]]) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.<ref>The story of HP pretexting scandal with discussion is available at {{cite web|url=https://www.scribd.com/doc/62262162/HP-Pretexting-Scandal|title=HP Pretexting Scandal by Faraz Davani|date=14 August 2011|via=Scribd|access-date=15 August 2011|first1=Faraz|last1=Davani}}</ref> An elaborate [[lie]], it most often involves some prior research or setup and the use of this information for impersonation (''e.g.'', date of birth, [[Social Security number]], last bill amount) to establish legitimacy in the mind of the target.<ref>"[http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre10.shtm Pretexting: Your Personal Information Revealed]", [[Federal Trade Commission]]</ref>

===Water holing===
{{Main|Watering hole attack}}
Water holing is a targeted social engineering strategy that capitalizes on the trust users have in [[Website|websites]] they regularly visit. The victim feels safe to do things they would not do in a different situation. A wary person might, for example, purposefully avoid clicking a link in an unsolicited email, but the same person would not hesitate to follow a link on a website they often visit. So, the attacker prepares a trap for the unwary prey at a favored watering hole. This strategy has been successfully used to gain access to some (supposedly) very secure systems.<ref name="Forbes.com watering hole attack">{{cite web|url=https://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/|title=Chinese Espionage Campaign Compromises Forbes.com to Target US Defense, Financial Services Companies in Watering Hole Style Attack|date=10 February 2015|publisher=invincea.com|access-date=23 February 2017}}</ref>

===Baiting===
Baiting is like the real-world [[Trojan horse]] that uses physical media and relies on the curiosity or greed of the victim.<ref name="Social Engineering, the USB Way">{{cite web|url=http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1|title=Social Engineering, the USB Way|date=7 June 2006|publisher=Light Reading Inc|archive-url=https://web.archive.org/web/20060713134051/http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1|archive-date=13 July 2006|url-status=dead|access-date=23 April 2014}}</ref> In this [[attack (computing)|attack]], attackers leave [[malware]]-infected [[floppy disk]]s, [[CD-ROM]]s, or [[USB flash drive]]s in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and wait for victims.

Unless computer controls block infections, insertion compromises PCs "auto-running" media. Hostile devices can also be used.<ref>{{cite web |url=http://md.hudora.de/presentations/firewire/PacSec2004.pdf |title=Archived copy |access-date=2 March 2012 |url-status=dead |archive-url=https://web.archive.org/web/20071011191205/http://md.hudora.de/presentations/firewire/PacSec2004.pdf |archive-date=11 October 2007}}</ref> For instance, a "lucky winner" is sent a free [[digital audio player]] compromising any computer it is plugged to. A "'''road apple'''" (the colloquial term for horse [[manure]], suggesting the device's undesirable nature) is any [[removable media]] with malicious software left in opportunistic or conspicuous places. It may be a CD, DVD, or [[USB flash drive]], among other media. Curious people take it and plug it into a computer, infecting the host and any attached networks. Again, hackers may give them enticing labels, such as "Employee Salaries" or "Confidential".<ref>{{Cite book|title=Principles of Computer Security, Fourth Edition (Official Comptia Guide)|last1=Conklin|first1=Wm. Arthur|last2=White|first2=Greg|last3=Cothren|first3=Chuck|last4=Davis|first4=Roger|last5=Williams|first5=Dwayne|publisher=McGraw-Hill Education|year=2015|isbn=978-0071835978|location=New York|pages=193–194}}</ref>

One study published in 2016 had researchers drop 297 USB drives around the campus of the University of Illinois. The drives contained files on them that linked to webpages owned by the researchers. The researchers were able to see how many of the drives had files on them opened, but not how many were inserted into a computer without having a file opened. Of the 297 drives that were dropped, 290 (98%) of them were picked up and 135 (45%) of them "called home".<ref>{{Cite web|url=https://www.infosecurity-magazine.com/blogs/bhusa-dropped-usb-experiement/|title=#BHUSA Dropped USB Experiment Detailed|last=Raywood|first=Dan|date=4 August 2016|website=info security|access-date=28 July 2017}}</ref>

=== Quid Pro Quo ===
An attacker offers to provide sensitive information (e.g. login credentials) or pay some amount of money in exchange for a favor. The attacker may pose as an expert offering free IT help, whereby they need login credentials from the user.<ref name=":3">{{Cite web |title=Social Engineering - Information Security Office - Computing Services - Carnegie Mellon University |url=https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html |access-date=2025-04-12 |website=www.cmu.edu |publisher=Carnegie Mellon University |language=en}}</ref>

=== Scareware ===
The victim is bombarded with multiple messages about fake threats and alerts, making them think that the system is infected with malware. Thus, attackers force them to install remote login software or other malicious software. Or directly extort a ransom, such as offering to send a certain amount of money in [[cryptocurrency]] in exchange for the safety of confidential videos that the criminal has, as he claims.<ref name=":3" /> 

=== Tailgating (piggybacking) ===
An attacker pretends to be a company employee or other person with access rights in order to enter an office or other restricted area. Deception and social engineering tools are actively used. For example, the intruder pretends to be a courier or loader carrying something in his hands and asks an employee who is walking outside to hold the door, gaining access to the building.<ref name=":3" />