Social Engineering

What You'll Learn in Social Engineering

• Identify pretexting, authority impersonation, and urgency manipulation during live phone and in-person interactions
• Apply callback verification and out-of-band authentication to confirm caller identity through official company directories
• Recognize the transition point where a normal business conversation shifts into covert information extraction
• Decline information requests firmly and professionally without damaging legitimate business relationships
• Explain how attackers use publicly available OSINT data from LinkedIn, press releases, and social media to build convincing pretexts

Social Engineering Training Steps

1. Introduction

   Alice Martinez works as a senior developer at SecureTech Corp, a growing software company specializing in financial applications. She's been with the company for three years and is known for being helpful and collaborative with her colleagues. It's a typical Tuesday afternoon, and Alice is working on a critical project deadline.

2. The Unexpected Call

   Alice's mobile phone rings unexpectedly. The caller ID shows 'IT Support - Internal'. Since Alice recognizes this as potentially being from her company's IT department, she decides to answer the call.

3. The Convincing Introduction

   Alice feels concerned about the potential security issue and wants to help resolve it quickly.

4. The Information Gathering

   Alice, feeling pressured by the urgency and trusting that this is legitimate IT support, begins to consider providing the requested information.

5. Escalating the Request

   Alice feels she has no choice but to comply since her account might be compromised.

6. The Malicious Website

   Alice notices the website looks similar to her company's login page, though something feels off about the URL.

7. The Access Attempt

   Bob has successfully captured Alice's credentials and is now attempting to get her to download malware disguised as a security tool.

8. Checking the Email

   After the call, Alice opens her email client to check for the promised message. Among her inbox, she notices an email from 'IT Support' with the subject line 'Urgent: Security diagnostic tool.'

9. The Realization

   As Alice hangs up the phone, memories from the company's recent cybersecurity training flood back. She remembers the instructor specifically warning about attackers who impersonate IT support, create false urgency, and try to get employees to download malicious software.

10. Immediate Security Response

    Alice immediately takes action to minimize potential damage from the attack. She knows that she has already provided her credentials to the malicious website, which means her account could be compromised. Looking back at the browser, she notices the URL was using HTTP instead of HTTPS - a clear red flag she missed under pressure. She also makes a mental note of all the information she provided during the call: her employee ID, last four digits of her SSN, and her login credentials.