Social Engineering:

Hacking the Human

What is Social Engineering?
Audience: General Reading Time: 20 Mins

We live in a digital age where the technolgy is continually improving. Whilst cyber
security is constantly evolving to combat cyber criminals, human psychology
remains realtively unchanged. Social engineering is threat we must always
consider. This article looks to inform you what it is, and how to stay ahead of it.

Key Points
• Social engineering is defined in the • Social engineering techniques rely
context of information security as heavily on the ability to manipulate
“The use of deception to manipulate information freely from humans. If
individuals into divulging confidential you were to ask ask any con-man,
or personal information that may be magician, or psychologist then they
used for fraudulent purposes.” will inevitably tell you that humans are
very easily manipulated.
• Social engineering (or human
hacking) is becoming a more • Due to the way we communicate
common threat in the world of cyber digitally, via email in the modern
security. Whilst the technology side world, Phishing has become the most
of security is constantly improving, common type of social engineering
cyber criminals are realising that the attack. Phishing itself comes in
easiest way through a firewall is to many forms and employs numerous
manipulate a person already behind it. methods which we should look out
for.
• Social engineering is one of the most
dangerous threats to go against • Social engineering is largely
companies and IT systems alike as preventable through good awareness,
many people are not aware of the regular training, and knowledge of
damage that can be done due to the techniques and methods used to
the information gained by a talented extract sensitive information.
social engineer.

The Cyber Foundry project is part funded by the European Regional Development Fund
 Human Hacking
In the context of information security The problem classes covered in this article
social engineering is defined as “The use are:
of deception to manipulate individuals
into divulging confidential or personal • Innocuous Information - Information
information that may be used for that seems harmless, but in combination
fraudulent purposes.” ["social engineering, with other factors can be used maliciously.
n." OED Online. Oxford University Press,
• Causing and Fixing the Issue - Using
December 2019]. Social engineering,
empathy and “owing a favour” to get
also called human hacking, is becoming
potentially sensitive data from someone.
a more common threat in the world of
cyber security but can be prevented simply • Just Asking for It - Using authority,
through increasing awareness. As computer empathy, fear, and panic to extract
antiviruses and firewalls become stronger, sensitive information from someone.
malicious actors are realising that the
weakest link in cyber security is actually the • Phishing - Gaining personal information
person behind the computer. Therefore, through the use of fake emails and
the easiest way through a firewall is to websites.
manipulate a person already behind it.
Innocuous Information: Problem
The social engineer lives by the motto
Knowledge is Power and will attempt In any company or organisation specific
to extract any and all information they articles of paperwork and phrases or terms
can. This information could be leveraged get passed around from employee to
against a company for monetary gain, or employee, so much so that the employees
perhaps simply used to cause reputational see this information as common place and
damage. While private and sensitive data unimportant. Whilst it is unlikely, a malicious
is often protected through measures such actor can use some of this information to
as a firewall, social engineers specialise in take down a company with one call. The
extracting information by manipulation. more skilled social engineer treats their
If you ask any con-man, magician, or attack like a large puzzle, slowly gaining all
psychologist, they will inevitably tell you that the right pieces to give them a fuller picture.
humans are very easily manipulated. A simple and innocent sounding piece of
information could be used as a stepping
stone for a larger scam. A harmless question
Common Social Engineering Techniques such as: `When you phone in to CreditChex,
what do you call the number you give them
There are many methods which social is it a `Merchant ID'?' could later be used to
engineers employ to extract sensitive pretend that the caller was from the bank.
information, let us explore some of the most Often a social engineer will learn some
common techniques in the social engineer's phrases or words that are only really used in
toolbox according to the infamous social the target job, e.g. acronyms of a particular
engineer Kevin Mitnick.1 retail business if they plan to attack a retail
business, or acronyms related to the IT sector
There are four classifications of problems if that was the target. By saying these phrases
which are exploited. For each explanation we casually, the person the social engineer is
present three sections, the first outlining the conversing with will tend to think that they
problem, the second providing an example also work in the field. Thus, making a request
scenario, and the third explaining how to for some innocuous information seems
protect or prevent the type of attack. normal and is not questioned.

Greater Manchester Cyber Foundry [1] Social Engineering: Hacking the Human
 Innocent Data
Innocuous Information: Scenario Often in the situation of a social engineer
calling a company, they use insider words
Assistant: Acme Products, this is Madison, and language which helps to make the
how can I help you? targeted people feel that the engineer is a
part of the company. Just because someone
Malicious Actor: Hi Madison, this is Jesse, knows the terminology it does not mean
I’m a new hire down in Budgets trying to they are entitled to have the information.
update some contact lists. Do you have Mr.
Charles Foster Offdenson’s email address for A Merchant ID may be used in the bank
our records? every day, but such an identifier can
be equated to a password and should be
Assistant: I do, but that’s not often given protected as such. Another common request
out, you can just use my address for most is direct phone numbers of department
things it is madison@ac.me and work groups. While the direct numbers
of the CEO or members of the board are
Malicious Actor: I know that, but I’m being generally not given to outsiders, they are
put through the ringer down here and I was often shared with employees (or those who
supposed to have this on my manager’s desk pose as employees).
an hour ago and now he keeps checking up
on me and I just started this job and I’ve … A suggestion to counter this is to implement
a policy forbidding the exchange of phone
Assistant: All right, I understand, you can numbers to outsiders, and to implement a
calm down. The email address is CFO@ac.me procedure to be sure the caller is actually a
member of the company.

“
Just because someone
knows the terminology, it
does not mean they are
entitled to information

Image: Hannah Wei on Unsplash

Innocuous Information: Solution

”
As will become apparent in all the prevention
techniques the best way to stop a social
engineer is to have strong verification
procedures. The most common and effective
The important prevention measure that way of implementing this would be to
should be taken in this case is to keep include Two Factor Authentication (2FA),
up-to-date with what information, even if this way even if the social engineer got an
seemingly innocuous, could still be a risk. employee number that would not be enough
The most direct measure would be to class to be considered a member of the company.
all information as classified, unless explicitly In the scenario above, the assistant could
stated otherwise. simply have offered to email the malicious

Greater Manchester Cyber Foundry [2] Social Engineering: Hacking the Human
 Part of the Problem
user the information. That way, she can verify actually be malware and not perform as
that the email address is associated with the claimed. In fact, it would install a key logger
company and the member of staff is real. and a piece of malicious software that would
provide the social engineer with virtual
The hardest part of preventing social access to the computer.
engineering attacks is overcoming the
human instinct to be helpful, If someone Causing and Fixing a Issue: Scenario
asks for a favour, decline until you can verify
the request is legitimate. Social engineers Staff Member: “Accounts, how can I help?”
use and abuse human psychology and
the easiest way to not be a target is to be Malicious Actor: “Hi there, it’s Sam from the
knowledgeable of different approaches. IT helpdesk. We’re trying to troubleshoot a
computer network problem. Do you know

“
if anyone in your team has been having
trouble online?”

The hardest part of Staff Member: “Uh, not that I know of”
preventing social
Malicious Actor: “Okay, that’s good. Listen,
engineering is we’re calling people who might be affected
overcoming the human because we have been having reports of
people losing their connection, and we are
instinct to be helpful trying to be proactive in solving this before it

”
escalates. It sounds like having your network
connection go down would be a problem for
you and your team…”
Causing and Fixing an Issue: Problem
Staff Member: “Yeah, it certainly would!”
If you are experiencing a technical problem
Malicious Actor: “…so while we’re working
with a computer system and someone
on this, let me give you my work mobile
claiming to be from IT called and said they
phone number. Then you can reach me
would fix the issue, then gratitude is typically
directly if you need to in case you need"
the emotion that would be felt, not distrust.
This is one very useful method in the social
Staff Member: “Thanks, that's great”
engineer’s toolkit. A couple of convincing
phone calls could result in a scammer being
Malicious Actor: “It’s 07123456789”
both the source and saviour of an issue.
Staff Member: “Very useful, thanks again”
The target of the con can be lured into a
false sense of security seeing the social
Malicious Actor: “Listen, one more thing
engineer as a very helpful member of the
before I go. I need to check your port
company. Once the social engineer has
number. Take a look on your computer and
built up this false trust of themselves, they
see if there’s a sticker that says port number”
would then often ask for a favour in return
for helping them out. This favour may come
Staff Member: “Yeah, it says Port 6 dash 47”
in the form of asking the target to install a
piece of software on the grounds that "this
Malicious Actor: “Great, that’s what we had
will stop the error causing a downed network
you down as, just making sure”
in the future". However, the software would

Greater Manchester Cyber Foundry [3] Social Engineering: Hacking the Human
 Get What You Ask For
Causing and Fixing a Issue: Solution Just Asking for It: Problem

The simplest solution is to not fulfil As group animals, thanks in part to how
the requests made by a stranger, even society functions, people are always looking
commands or applications that seemingly out for each other and this instinct to help
do nothing on the surface could lead to increases if the person requesting help is
bad consequences for the company. A from the same company. This means a social
significant part of preventing these types of engineer who has an aura of confidence may
requests is to designate a single employee sometimes just straight up ask for what they
in each department to handle all requests want and worryingly they often get it.
for information to be sent outside of the
work group. These designated employees To make this request seem more reasonable
must then go through an advanced security often the social engineer would use
training program so that they become fully language that is specific to the field or the
aware of the procedures they should follow. company. If the social engineer is entering
the premises, they may also wear clothing
An important thing to be noted is that that would fit in with the people legitimately
everyone from receptionists to high-level working there.
managers need to have adequate security
training so that they are aware of the ways
people will attempt to get information. The
heads of security should establish a single
point of contact so that if employees are not
sure if they have been targeted by a social
engineering ruse, they can bring it forward
to someone who would better understand
what next steps to take.

If someone calls claiming to be a person in

the company an easy way of verifying if it
is them would be to put the caller on hold
and actually call the person from the staff
directory that the caller claims to be. If you Just Asking for It: Scenario
call their company phone and they respond,
you can speak to them about the attack. If Alice works at a company where key cards
instead you reach voice mail you can listen are required to get through security doors.
to the voice of the person and compare it to One day, as she had just scanned herself in
that of the caller. and opened the door she looked behind her
and saw a man she did not recognise, both
Companies should teach their employees hands full of coffee cups. "Oh!" he asked
about the practice of accepting people “Please, can you hold that for me?" as he
as legitimate employees just because started to move towards the door faster so
they know what to say or know about the she did not have to wait as long. Once he
company. If someone knows this information reached the door and Alice had made sure
it does not mean that they belong to the that he could get through she turned and
company, they must still be verified. Yet went about her normal work routine. It now
again, employees must be verified and may be obvious, that the man in the brief
no information, even if it is considered example above is not someone who works at
innocuous should be given to outsiders. the company. Yet he has been given access

Greater Manchester Cyber Foundry [4] Social Engineering: Hacking the Human
 Bold Psychology
simply because he asked for it, this is such a Just Asking for It: Solution
common risk that almost everyone has done
at some point. Why does this bold approach work?
Psychologically there is a lot going on and
If your company or building has a key card many papers and blogs have been written
door just sit and watch it how many times investigating the psychology of helping
will people just hold it open for others? Or others.5 To summarise and paraphrase these
ask yourself how many times have you held happenings it all comes down to the instinct
a secured door open for someone that you humans have to be part of a bigger group,
did not recognise? In the scenario above, or pack.
the malicious actor entered the premises
but often social engineers will avoid that as The person who holds the door is also
it increases the risk of discovery unless they subconsciously thinking "if this person sees
are very sure in themselves. me struggling in the future, they would help
me as they will feel indebted" this is how the

“
norm of reciprocity motivator works. The
second example triggers the kin selection
model and the norm of social responsibility
How often have you response, both of these revolved around
benefiting the wider company or society. The
held a secured door thought process behind leaving a classified
open for someone you phonebook outside for a stranger is "if I help
this person do their job faster, the company
did not recognise? as a whole will do better", yet it can be a
major flaw in security.

”
Often important information is asked for
over the phone and again it is often given.
Here is another example scenario:

Ben works for a company where they keep a

phonebook of all of the employees' phone
extensions, names and job titles. At the
end of each business year they update the
information to account for changes in staff,
and replace the book and shred the old
copy. On the day of the new phonebook
image: Dima Pechurin on Unsplash
delivery Ben receives a call from a woman
who says they have the new phonebook. She This is the boldest of cons and often the
tells him that they are running late, and need most successful, yet preventing this con
to pick up and dispose of the old one - so still comes down to making sure that the
she asks that he puts his old copy outside person is who they say they are. These cons
for it can be quickly be picked up. Wanting often use sympathy, guilt, and intimidation
to be helpful, Ben complies and then a few as a psychological trigger to get what they
minutes later a car pulls up. The woman want. To prevent this the company and the
walks out and picks up the phonebook that employees needs to protect data; implement
has classified written all over it. solid instructions about passwords; have a

Greater Manchester Cyber Foundry [5] Social Engineering: Hacking the Human
 Gone Phishing
central reporting point; and understand how a strong password is. Users should be
to protect the company network. instantly suspicious of any request involving
their passwords. This may seem like a very
Many of these attacks have data being obvious message to get across, but users
sent to someone unknown to the user, should also be told why it is bad to have a
even if it appears to be sent internally. The simple password, or the same password for
company needs to have a security policy all personal items, otherwise it comes across
that is very specific about sending valued as following a rule in blind obedience. Often,
data to anyone not known by the sender. rules requiring blind obedience are forgotten
When a request is made, there must be a or ignored.
strong procedure to verify the requesting
party. Other ways to limit the impact of The name of a computer server or network
such attacks is to keep a departmental log must be considered sensitive data, a social
of requests made. Meaning, that if one has engineer can use this information to gain
been compromised the company know trust or find the location of the information
specifically what the social engineer knows. they require. It could also be used to bring
the network down (and lead to Causing
The company could also train specific people and Fixing Problems). People who provide
to be trusted to authorise the sending computer help need to be well versed in
out of sensitive information. By making what requests should bring up red flags. This
only these people able to send sensitive links back to creating a central reporting
information out of the company, the risk will point of specially trained staff who focus on
be mitigated. deciphering whether a request is an attack or
legitimate. By making this central point easy
to contact, employees could ask a specifically
trained member of staff to assist them if they
suspected something amiss.

Phishing: Problem

One of the most well-known approaches

to social engineering is a method called
phishing where an email is sent, often to a
large group of people, that hosts a malicious
link or attachment which will infect any
Image: CeruleanSon from Pixabay
computer where a user clicks the link.

Passwords are a common target of social It was once the case that the typical
engineers, and even changing a password for phishing email contained poor English with
a few moments can lead to a security breach. spelling and grammatical errors - which
Due to the modern use of passwords people made them easier to spot for those with
have many accounts secured by password, an eye for detail. These emails were sent
yet because of the large number of different en-mass with the intention of only getting
accounts for various things, people tend to a small amount of return on the email, this
use a single password for most of them. If is obviously an inefficient method of get
this single password is compromised, then information. However, these phishing emails
so is every other account they have. Training are becoming more and more sophisticated.
needs to cover the topic of passwords, They may often have imagery which
when and how to change them; and what represents a service that you subscribe to,

Greater Manchester Cyber Foundry [6] Social Engineering: Hacking the Human
 A Pointed Attack
such as a bank, or email provider, indicating This is designed to panic the person
your account is locked or compromised. reading the email. Once the reader feels
They will often contain a link for you to rushed, they may click on a link provided
'Reset your password' on a fake website and while this may look legitimate in the
made to look like your bank, or email email, the software allow for the renaming
provider etc. These can look very convincing, of hyperlinks to display safe looking site
and prey on the fear that your account while directing you to another. e.g:
has been locked. Unfortunately, as you https://www.google.com/update
enter your details in the webform, you are could actually link to the malicious site:
unsuspectingly giving your login/password http://I.AmStealing.Your/Information
credentials to the social engineer.

Recently, a new type of phishing has become

more prevalent, this is known as spear
phishing, which focuses more on making the
email more personal and directed at specific
people. For this attack, the social engineer
does a lot of research and employs various
techniques to obtain personal data about
the target, so that their crafted phishing
email appears to be far more legitimate, and
therefore more likely to succeed. A common
source for such personal data is actually
publicly available. Consider how much could image: Melinda Gimpel on Unsplash
someone find about you simply by looking
at your social media, or searching for your In other cases, if the social engineer does
name online? not want to spend extra time and effort to
disguise a link, they may use one that looks

“
very similar to the website the email claims
to be from, i.e. www.paypa1.com at a quick
glimpse this says Paypal but in reality the
a new type of phishing final 'l' has been replaced by a '1'. Looking
more specifically at the psychology behind
has become more this method, the urgent subject line or
prevalent, this is known body content initiates the human fight
or flight instinct where logic and rational
as spear phishing thinking is put to one side and replaced by
the instinct or a need to act, quickly. This

”
often will mean that the recipient of the
phishing email will be paying less attention
to the detail, and be focusing on the need
Phishing: Scenario to fix a bad situation. They click on the
malicious link and put their system at risk.
The subject and body of these emails often Instinct is easier to predict, which makes
contains urgent reasons to act: people easier to manipulate and thus leads
to more successful cons. In the Paypal
• Account had been suspended example above, if you feel the urgent need
• Confirm account ownership to act you are less likely to notice the l/1
• Your card will be disabled etc. swap.

Greater Manchester Cyber Foundry [6] Social Engineering: Hacking the Human
 Recognise the Signs
Phishing: Solution from emails, it is very easy to disguise a
malicious website as a trusted one. In most
Phishing is the most common form of attack email readers if you hover over a link, at the
in the modern era of computing, due to bottom of the screen will be the directed
the sheer amount of email communication address which may be contrary to the
that people do daily. However, there is website the link claims to be.
also a wealth of information available to
help guide you and your organisation. Another thing to look out for is typical
We would recommend starting with the phishing language. Most emails intended to
NCSCs resources on the subject of phishing: scam will try and convey a sense of urgency
https://www.ncsc.gov.uk/guidance/phishing so that the receiving party rushes to act not
fully paying attention to the links or the
message of the email. A key give-away for
phishing emails is if they aren't addressed
to a person directly rather, `Dear Customer'
or similar. Also in phishing emails, less so in
spear-phishing emails, there are commonly
spelling mistakes and formatting errors,
where legitimate businesses would not have
such errors.

Image: Yiran Ding / Unsplash

“
Phishing is the most
common form of attack
The key things to keep in mind while looking
at emails; protect your personal information, in the modern era of
do not click links unless you have checked computing.
where they lead, look for common phishing

”
language, and any mistakes in spelling or
grammar.

It is good to be suspicious of all emails sent It used to be the belief that if a website has
from entities that require sensitive data. If an a padlock next to its name in the browser
email is received informing you that there is it is secure, but this is no longer the case if
something wrong with an account, the safest you are suspicious of a website but it has a
thing to do would be to not follow the link padlock click on the icon, it will tell you the
in the email. Instead, open a browser and name of the organisation that applied for it.
navigate to the trusted home page of the If these do not match, leave that website and
entity and log in there. If there is something remain very suspicious of the email or site.
wrong with an account then it may be
legitimate and the actual website would Summary
say so, or phone up the company using
their official company phone number. Here, The social engineer makes use of many
enquires could be made about your account psychological triggers and methods of attack
and if it is actually in need of action. to gain access to information or credentials.
Social engineering attacks are actually quite
As a general rule of thumb never click links preventable, all that is required is to have an

Greater Manchester Cyber Foundry [6] Social Engineering: Hacking the Human
 Wrapping it All Up
understanding of the methods they use and would also add another layer of security.
knowledge of what to look out for. Additionally, constant reminders about
methods of attack to employees will aim
The social engineer has a lot of techniques to make sure that the workforce are always
at their disposal, this article has covered a aware of possible threats.
few of their methods for attack as well as
some ways which you can prevent these. It
is important to bear-in-mind that while the
social engineers will use combinations of all
the above methods, and more, to achieve
their goal.

Most readers of this article would have

themselves believe that they would not fall
for such simple tricks, yet studies7 have been
done to show the majority of people will fall
for these methods even if they have been
warned about them in advance!

This article concludes with four ways to

improve security against these types of
threat:

• Increase Awareness - Show people how

to recognise the tactics used and how to
react

• Repeat Training Regularly - Repeat the

training using different approaches and Further Support Available
materials.
The Greater Manchester Cyber Foundry
• Tackle and Reduce Optimism Bias - runs a Secure Digitisation Programme
Stop people from thinking “I am less designed to support businesses facing
likely to be targeted” or “I am better at cyber challenges in the Greater Manchester.
resisting these attacks” The programme consists of two full-day
workshops, alongside some online open
• Focus on Vulnerable Groups - Often learning elements, to better defend, innovate
young and recent hires are the most at and grow your business. The support
risk provide training during job induction. is free due to being part funded by the
European Regional Development Fund, and
The easiest way to prevent any kind of social is in partnership with Lancaster University,
engineering attack is to verify the caller. the University of Manchester, Manchester
If a company has a strong identification Metropolitan University, and Salford
procedure or uses multi-factor verification, University.
attacks become much harder to carry out.
The addition of a trained team or specific To find out more contact us:
individuals who are in charge of whether
information is sent outside of the company gmcyberfoundry@lancaster.ac.uk

Greater Manchester Cyber Foundry [6] Social Engineering: Hacking the Human
 Further Reading

About the Author

Alexander Lee is an analyst developer on the Greater

Manchester Cyber Foundry project. Having recently
graduated from Lancaster University with a master’s
in Physics, Alexander has always enjoyed software
development building multiple physics based simulations.
Alexander is also a part time magician, which sparked
an interest in human psychology and how to use it to
influence others

READ MORE
1. The Art of Deception - K. Mitnick [Mitnick, Kevin D., and William L. Simon. The art of deception:
Controlling the human element of security. John Wiley & Sons, 2003.] – Written by one of the most
infamous social engineers of modern time this book covers over 10 different approaches of the
social engineer with entire sections dedicated to security procedures that business could adopt
to prevent future attacks.
2. Advanced Social Engineering Attacks - K. Krombholz, H. Hobel, E. Weippl [Krombholz,
Katharina, et al. "Advanced social engineering attacks." Journal of Information Security and
applications 22 (2015): 113-122.] - A short digestible article describing common attack scenarios,
as well as real-world examples. Aiming to classify the different types of attacks.
3. Steps to Avoid Phishing Scams - Comodo Security Solutions [Comodo Security Solutions, “What
is a Phishing Scam?” COMODO, 26 February 2020, https://www.comodo.com/resources/home/
how-to-avoid-phishing.php] - A short but comprehensive list of steps to take to avoid the most
common type of scam.
4. Social Engineering: The Art of Human Hacking - C. Hadnagy [Hadnagy, Christopher. Social
engineering: The art of human hacking. John Wiley & Sons, 2010.] - A book aiming to reveal and
dissect the technical aspect of social engineering attacks as well as providing examples and
detailed accounts of methods used by the social engineer.
5. Social-influence processes of control and change: Conformity, obedience to authority and
innovation [Martin, Robin, and Miles Hewstone. Social-influence processes of control and change:
Conformity, obedience to authority and innovation. London: Sage, 2003.]
6. Introductory Guide: Phishing [Joinson, Adam. ‘’Introductory Guide: Why Do People Click On
Phishing Links?’’ CREST, 26 February 2020, https://crestresearch.ac.uk/resources/introductory-
guide-phishing/.]
7. Social Engineering From Thoughts To Awareness. [Bullée, Jan-Willem. “Social Engineering:
From Thoughts to Awareness” CREST, 26 February 2020, https://www.crestsecurityreview.com/
article/social-engineering-from-thoughts-to-awareness]
8. A study of social engineering in online frauds. [Atkins, Brandon, and Wilson Huang. "A study of
social engineering in online frauds." Open Journal of Social Sciences 1.03 (2013): 23.]

Copyright: This guide is made available under a Creative Commons (CC BY-NC-SA 4.0) licence.
For more info about GM Cyber Foundry: https://www.lancaster.ac.uk/security-lancaster/cyber-foundry/

The Cyber Foundry project is part funded by the European Regional Development Fund