A. Human-Based Social Engineering

Human-based social engineering refers to person-to-person interaction to get the required/desired information. An example is calling the help desk and trying to find out a password.

1. Impersonating an employee or valid user: "Impersonation" (e.g. posing oneself as an employee of the same organization) is perhaps the greatest technique used by social engineers to deceive people. Social engineers "take advantage" of the fact that most people are basically helpful, so it seems harmless to tell someone who appears to be lost where the computer room is located, or to let someone into the building who "forgot" his/her badge, etc, or pretending to be an employee or valid user on the system.

2. Posing as an important user: The attacker pretends to be an important user - for example, a Chief Executive Officer (CEO) or high-level manager who needs immediate assistance to gain access to a system. The attacker uses intimidation so that a lower-level employee such as a help-desk worker will him/her in gaining access to the system. Most of the low-level employees will not ask any question to someone who appears to be in a position of authority.

3. Using a third person: An attacker pretends to have permission from an authorized source to use a system. This trick is useful when the supposed authorized personnel is on vacation or cannot be contacted for verification.

4. Calling technical support: Calling the technical support for assistance is a classic social engineering example. Help-desk and technical support personnel are trained to help users, which makes them good prey for social engineering attacks.

5. Shoulder surfing: It is a technique of gathering information such as usernames and passwords by watching over a person's shoulder while he/she logs into the system, thereby helping an attacker to gain access to the system.

6. Dumpster diving: It involves looking in the trash for information written on pieces of paper or computer printouts.

B. Computer-Based Social Engineering

Computer-based social engineering refers to an attempt, made to get the required/desired information by using computer software/Internet. For example, sending. a fake E-Mail to the user and asking him/her to re-enter a password in a web-page to confirm it.

1. Fake E-Mails: The attacker sends fake E-Mails to numerous users in such that the user finds it as a legitimate mail. This activity is also called "Phishing". It is an attempt to entice the Internet users (netizens) to reveal their sensitive personal information, such as user-names, passwords and credit card details by impersonating as a trustworthy and legitimate organization and/or an individual. Banks, financial institutes and payment gateways are the common targets. Phishing is typically carried out through E-Mails or instant messaging and often directs users to enter details at a website, usually designed by the attacker with abiding the look and feel of the original website. Thus,Phishing is also an example of social engineering techniques used to fool netizens. The term "Phishing" has been evolved from the analogy that Internet scammers are using E-Mails lures to fish "Phishing" and financial data from the sea of Internet users (i.e., netizens).

2. E-Mail attachments: E-Mail attachments are used to send malicious code to a victim's system, which will automatically (e.g., keylogger utility to capture passwords) get executed. Viruses, Trojans, and worms can be included cleverly into the attachments to entice a victim to open the attachment.

3. Pop-up windows: Pop-up windows are also used, in a similar manner to E-Mail attachments. Pop-up windows with special offers or free stuff can encourage a unintentionally install malicious software.