Instead of picking a lock, what if a burglar just tricked you into handing over the key? That’s social engineering. Bad guys use lies, fake stories, and pressure to get people to give up passwords, open dangerous files, or let strangers into secure places. They play on feelings like trust, fear, and helpfulness. It works because even the strongest computer security can be beaten when a person gets fooled.
ELI5: Social Engineering (繁體中文版)
社交工程就是「騙術」。不靠破解電腦,而是靠騙人來得到秘密。比如假裝是老闆叫你給密碼。
[騙子] --(心理操縱)--> [受害者] --(洩漏密碼)--> [系統]
Overview
Social engineering is the art of manipulating people into performing actions or divulging confidential information. Rather than exploiting technical vulnerabilities, these attacks target human psychology — trust, fear, urgency, and curiosity. Social engineering is consistently one of the most effective attack methods and is heavily tested on the SY0-701 exam.
Key Concepts
Phishing — fraudulent emails impersonating legitimate entities to steal credentials or deliver malware
Spear phishing — targeted at specific individuals or organizations
Whaling — targets high-level executives (C-suite)
Business Email Compromise (BEC) — impersonating or compromising business email accounts
Piggybacking — following an authorized person through a secured door
Tailgating = without their knowledge; Piggybacking = with their consent
Watering hole attack — compromising a website frequently visited by the target group
Typosquatting — also known as URL hijacking; registering domains similar to legitimate ones to capture mistyped URLs; relies on common typing errors
Brand impersonation — creating fake websites, emails, or social media profiles mimicking trusted brands
Influence campaigns — large-scale disinformation operations to manipulate public opinion; may include hybrid warfare combining cyber operations with disinformation
Credential harvesting — collecting usernames and passwords via fake login pages or forms, often delivered through phishing campaigns
Psychological principles exploited:
Authority, urgency, scarcity, social proof, likability, fear, intimidation, consensus
Exam Tips
Remember
Phishing family: Email = Phishing, Phone = Vishing, SMS = Smishing, Targeted = Spear phishing, Executive = Whaling. The exam will describe a scenario and expect you to identify the specific type.
Tailgating vs. Piggybacking
Tailgating = victim is unaware someone followed them through the door. Piggybacking = victim knowingly allows it (e.g., holds door open out of politeness).
Phishing attacks mitigated by email-security controls like DMARC, DKIM, and SPF
A primary method used by threat-actors of all sophistication levels
Physical social engineering (tailgating) addressed through physical-security controls
Credential theft from social engineering feeds into password-attacks
Practice Questions
Q-Bank: Social Engineering (4 Questions)
Q1. A CFO receives an email that appears to come from the company’s external auditor, requesting an urgent wire transfer to a new account before end of business. The email uses the auditor’s name, signature block, and references a real ongoing audit. Which type of social engineering attack is this MOST likely?
A. Phishing
B. Spear phishing
C. Whaling
D. Vishing
Show Answer C. Whaling
Whaling is a form of phishing that specifically targets high-level executives (C-suite), using highly personalized content and often involving financial requests — the CFO being targeted with an urgent wire transfer request is a classic whaling scenario. Spear phishing is targeted at specific individuals but the term “whaling” more precisely describes targeting executives. Generic phishing is untargeted mass email campaigns without personalization. Vishing uses voice calls, not email.
Q2. A security team discovers that a popular industry forum frequently visited by their developers was compromised with a drive-by download exploit. Several developer workstations were infected after visiting the site. Which social engineering technique does this BEST describe?
A. Baiting
B. Pretexting
C. Watering hole attack
D. Typosquatting
Show Answer C. Watering hole attack
A watering hole attack compromises a website frequently visited by the target group, exploiting the trust users place in familiar sites — the compromised industry forum targeting developers is a textbook example. Baiting offers something enticing like a USB drive or free download to lure victims, not compromising a trusted website. Pretexting involves creating a fabricated scenario to extract information through direct interaction. Typosquatting registers domains similar to legitimate ones to capture mistyped URLs, not compromising legitimate sites.
Q3. An employee holds the door open for a person carrying a large box who claims to be a delivery driver. The person is actually an unauthorized individual who gains access to the server room. Which physical social engineering technique was used?
A. Tailgating
B. Piggybacking
C. Pretexting
D. Shoulder surfing
Show Answer B. Piggybacking
Piggybacking occurs when an authorized person knowingly allows someone to follow them through a secured door — the employee intentionally held the door open. Tailgating occurs when someone follows through without the authorized person’s knowledge or consent. While pretexting was used as part of the attack (claiming to be a delivery driver), the physical access technique itself is piggybacking. Shoulder surfing involves observing someone’s screen or keyboard to steal information, not gaining physical access to a building.
Q4. An attacker sends text messages to hundreds of employees claiming their corporate benefits enrollment will expire in 24 hours, with a link to a fake enrollment portal that harvests credentials. Which attack type and psychological principle are MOST involved?
A. Phishing exploiting authority
B. Smishing exploiting urgency
C. Vishing exploiting fear
D. Spear phishing exploiting scarcity
Show Answer B. Smishing exploiting urgency
Smishing is SMS-based phishing, and the 24-hour deadline creates urgency — a psychological principle that pressures victims into acting quickly without thinking critically. Phishing uses email, not text messages. Vishing uses voice calls, not text messages. Spear phishing is targeted at specific individuals, but this attack was sent to hundreds of employees indiscriminately, making it a mass smishing campaign rather than targeted spear phishing.