How To Social Engineer Anyone In 5 Steps (The Ultimate Social Engineering Guide)

Understanding how to become a social engineer is essential to running any successful red-team exercise or phishing simulation, particularly since humans are the entry point in 74% of all breaches.

In this blog, we'll provide a detailed walkthrough outlining what social engineering is, popular techniques, how you can perform social engineering attacks, and finally, how to protect yourself.

What Is Social Engineering?

Social engineering is a form of cyber-attack where humans are the primary target of exploitation instead of technology. In saying this, the most effective social engineering attacks combine technical and human weaknesses to increase their likelihood and impact.

Due to the rampant use of social media, the accessibility of information about individuals, and the increasing difficulty of relying purely on technical weaknesses, social engineering continues to grow in popularity year on year.

Naturally, we're left with the next question.

What Are The Different Types Of Social Engineering?

There are five types of social engineering attacks. Namely, email phishing, voice phishing, SMS phishing, social media phishing, and malicious advertising.

• Email Phishing: This type of attack relies on email as the primary attack vector. Email phishing is commonly used to entice targets to click on malicious links, download malicious attachments, or respond in a back-and-forth conversation to gain trust and steal money.
• Voice Phishing: This type of attack relies on voice calls as the primary attack vector. Voice phishing is commonly used to entice targets to respond in a back-and-forth conversation to gain trust and steal money.
• SMS Phishing: This type of attack relies on SMS as the primary attack vector. SMS phishing is commonly used to entice targets to click on malicious links that harvest credentials or install malicious mobile applications.
• Social Media Phishing: This type of attack relies on social media applications such as LinkedIn, Facebook, Instagram, X, and WhatsApp as the primary attack vector. It is commonly used as part of complex attacks that rely on back-and-forth conversations to gain trust, steal money, or gain access to the victim's computer.
• Malicious Advertising: This type of attack uses paid advertising channels to place malicious content on top of or next to legitimate and trustworthy content. Malicious advertising is commonly used to entice targets to click on malicious links that harvest credentials or install malicious software.

What Are Common Social Engineering Techniques?

Depending on the type of social engineering attack and your end goal, you may use one or more of the following techniques to trick your victims.

• Social Proofing: Social proofing is a technique used by both legitimate businesses and cybercriminals to try and instill trust in potential buyers or victims. This is done by making a product, service, or individual seem reputable through public reviews, endorsements, mutual friends, professional certifications, or other forms of brand recognition. Social proofing is commonly used in social media phishing and malicious advertisement attacks.
• Sender Spoofing: Sender spoofing is a technique that exploits technical weaknesses in communication protocols that allow cybercriminals to maliciously alter their sender information to appear as though they are a trusted individual or organization. Spoofing comes in many forms and is commonly used in email phishing, SMS phishing, and voice phishing attacks.
• Urgency And Fear: Instilling a sense of urgency and fear are extremely effective techniques to make victims perform irrational and disproportional actions. For example, if a victim believes they've made a terrible mistake, missing a meeting, a call, or underperforming in their work, they are more likely to take an immediate action to try and retify the issue. Urgency and fear are commonly used techniques in all forms of phishing attacks.
• Open-Source Intelligence: Open-source intelligence is a discovery technique where information is collected from the public web. There are a variety of manual and automated tools to assist with open-source intelligence. These tools typically scrape information from social media platforms, company websites, search engines, and news articles to discover potential targets and find personally identifiable information.
• Cognitive Bias: The exploitation of cognitive biases such as normalcy bias or confirmation bias are techniques that cybercriminals use to operate under the radar and exploit humans' natural tendency to overlook minor mistakes and "fill in the dots". For example, a slight misspelling in a domain name or a transposition of numbers in a bank account may go unnoticed if the victim isn't paying close attention to detail.

How To Social Engineer Anyone In 5 Steps

Let's go through the step-by-step process of targeting and compromising an organization through the social engineering of its employees.

Step 1. Reconnaissance And Target Acquisition

Have you ever heard the analogy about getting away from bears?

"You don't have to run faster than the bear to get away. You just have to run faster than the person next to you."

As part of this first step, we will discover who those slow runners are. We do this by using open-source intelligence to discover information about the victim organization, the individuals who work there, and which individuals have shared too much information with the Internet.

Notably, we need to try and gather as much of the following information as possible:

1. Employee Email Addresses
2. Employee Phone Numbers
3. Employee Full Names
4. Employee Job Titles
5. Employee Geographic Locations
6. Employee Skills, Job History, Hobbies, & Browsing Habits

In support of obtaining this information, some or all of the following activities should be performed:

Step 1.1. Scan Organizational Assets

The best way to discover information about an organization is to actively scan its public-facing assets to discover all its domains, public-facing websites, and IP addresses.

Once a comprehensive list of assets is gathered, you can begin extracting information. As it relates to social engineering, a key asset to scan is the organization's primary public-facing website. In particular, it's important to scrape any personally identifiable information about employees, ideally using an automated tool such as Scrapy.

Step 1.2. Scan Search Engines

Search engines are great tools for discovering an individual's internet footprint. If a person has created an online moniker and mistakingly associated it with their name, you can see the forums or online communities they frequent. Using this information, you can build a profile of an individual's browsing habits, preferred tools, or hobbies.

The best way to scan search engines for specific information is to use Google Dorks, which refers to the use of advanced searching techniques to locate precise information that would be difficult to find using traditional search.

Step 1.3. Scan Social Media Platforms

It's amazing how much information people list on their publicly accessible LinkedIn, Twitter, Facebook, and Instagram profiles.

If we use LinkedIn as an example, most people list their full name, current employer, previous employers, rough geographic location, skills, and technologies they're familiar with. All of this information can be scraped and weaponized.

Step 1.4. Phish For Information

Phishing for information is a particular type of phishing attack in which, in its simplest form, we want to entice the victim to respond to an email. By responding to an email, you can achieve several goals. First, you can confirm that the email address is active and monitored. Second, you can extract the email signature to gather the victim's name and job title. Finally, you can extract email headers to identify email security technologies.

Step 1.5. Scan Dark Web Data Dumps

As a last resort, to put together a profile of victim browsing habits, preferred tools, and even hobbies, you can use public tools such as Have I Been Pwned to scan an email address and output what data breaches that email address has been associated with, along with how recent the breach was.

At the conclusion of all these activities, you should have a comprehensive list of target information. You can use this list to narrow down and sort by who your ideal targets are based on the information collected.

Step 2. Infrastructure, Content, And Persona Development

Now that we have a target list, it's time to build the infrastructure, content, and persona that will be used to compromise these individuals. The full list of what's needed as part of this step can vary, so we'll focus on the common components.

Step 2.1. Infrastructure Development

Depending on what your goal is, you may need to build, lease, or acquire certain infrastructure to facilitate social engineering attacks. Below, we've detailed what may be required based on the type of attack being performed:

• Domain Name: The domain to be used as the email sender address (Email Phishing).
• Email Server: The server or platform to be used to deliver phishing emails (Email Phishing).
• VoIP Number: The number to be used when contacting targets (Voice Phishing).
• SMS Number: The number to be used when contacting targets (SMS Phishing).
• Social Media Account: The account to be used when contacting targets (Social Media Phishing).
• Advertiser Account: The account to be used when contacting targets (Malicious Advertising).
• Web Server: The server to be used to harvest credentials (All Attack Types).
• Command & Control Server: The server to be used to control compromised machines (All Attack Types).

Step 2.2. Content Development

Depending on the type of attack being performed and the end goal, you may need to develop content that is used at various stages of the attack lifecycle. Below, we've detailed what type of content may be required:

• Message Templates: The content used to entice victims into interacting with a payload (Email, SMS, Social Media & Malicious Adertisement Phishing).
• Text To Speech Phrases: The set of phrases to be pre-recorded using an AI voice generator or voice cloning technology that will be used to build trust between the attacker and victim (Voice Phishing).
• Website Templates: The cloned website that masquerades as a legitimate service and captures sensitive information such as login credentials.

Note: Looking for some content ideas? Take a look at the CanIPhish phishing email library and phishing website library.

Step 2.3. Persona Development

For complex phishing attacks where there is a back-and-forth conversation, potentially spanning days or even weeks, there needs to be a strong element of trust.

Trust can be developed through a variety of means, but the most effective is through social proofing. Social proofing can apply to both individuals and organizations. Let's explore this in more detail:

Social Proofing For Individuals

If you, as the attacker, are masquerading as a trustworthy individual, you'll need to invest time into social proofing your fake online identity. It can take months or even years to social proof an online persona to the extent that it's ready to be used as part of a social engineering attack.

For example, when social proofing a LinkedIn account, you'll need to:

• Develop an activity history spanning months or years (e.g., liking posts, re-sharing posts, creating posts, sharing achievements).
• Connect with mutual connections of the victim prior to initiating a connection request with them.
• Develop supplementary social media profiles such as Twitter, Instagram, GitHub, or Facebook accounts to strengthen the overall online persona.

Social Proofing For Organizations

If you, as the attacker, are masquerading as a trustworthy organization as part of a malicious advertising campaign, you'll need to invest time into social proofing the fake business. This can include:

• Creating a fake business website.
• Gathering public testimonials or referrals on third-party review websites.
• Astro-turfing forums or message boards with your fake brand or business.
• Developing supplementary social media profiles for employees who work at the organization.

Step 3. Multi-Pronged Social Engineering (Payload Delivery)

Once you acquire your targets and develop your infrastructure, content, and persona, you're ready to begin social engineering!

Based on the information you've collected about the individual, you can deliver highly specific phishing content that relates directly to the individual, and you can do this over multiple forms of communication over a staggered period of time which could be weeks or months.

If we look at the potential information gathered earlier, let's walk through how each component assists with initial payload delivery:

• Employee Email Addresses: This enables the delivery of phishing emails.
• Employee Phone Numbers: This enables the delivery of SMS phishing and voice phishing.
• Employee Full Names: This enables the discovery of social media profiles and allows you to address the target by their first and last name directly.
• Employee Job Titles: This allows you to understand their job function, which influences the type of phishing content they're likely to fall victim to (e.g., finance workers are prone to phishing emails with fake purchase orders, IT workers are prone to phony recruitment messages, etc.).
• Employee Geographic Locations: This allows you to understand the opportune time for delivery based on timezone and enables the delivery of specific phishing content based on local services the victim may use.
• Employee Skills, Job History, Hobbies, & Browsing Habits: This allows you to understand the victim's background and influence the type of content they're delivered based on what they likely already receive (i.e., allowing you to exploit cognitive biases).

Time, persistence, and determination are key when it comes to social engineering attacks. In many cases, your first attempt to social engineer an individual will fail, but with each failure, you can refine, improve, and strengthen future attempts.

Nation-state threat actors are tremendously successful with social engineering because they are persistent in their endeavors. They continue and continue, increasing the sophistication and complexity of their attacks until someone falls victim.

Step 4. Victim Compromise (Payload Detonation)

Simply having a victim detonate a payload doesn't equate to them being compromised or your end goal being achieved. If we use the MITRE ATT&CK Enterprise Matrix as a reference, we're now at the Execution phase of our attack lifecycle.

To transition from payload detonation to victim compromise, you need to:

• Obtain Persistent Access: There are a variety of ways to do this, but the most common methods as it relates to social engineering are:
• • Abuse stolen credentials for a cloud service.
  • Authorize a malicious OAuth application.
  • Create a malicious mail forwarding rule such that the attacker can reset passwords at their discretion.
  • Install a logon or boot initialization script on the compromised endpoint.
• Laterally Move: To obtain as much access to systems and data as possible.
• • Exploit access to shared company resources such as file transfer servers.
  • Exploit other employees through internal spearphishing attacks leveraging the compromised employee's identity.
  • Compromise administrator credentials through the theft of passwords stored in memory or shared password stores.
  • Compromise secret keys stored in source code.

Step 5. Goal Acquisition

Finally, we are at the finish line! You've compromised your victim, gained persistent access, and laterally moved around to elevate privileges and gain as much access as possible.

When conducting red-team operations or penetration tests, you've reached goal acquisition when you've captured the virtual flag established in your scoping document. Typically, this involves the exfiltration of whatever information that flag holds, taking screenshots along the way to evidence goal obtainment, and taking screenshots of the steps you took to get where you did.

So now that we know how to social engineer anyone, let's look at what you can do to protect yourself against social engineering attacks.

How To Protect Against Social Engineering

To protect yourself against social engineering attacks, you need to ensure you're following several security best practices, namely:

• Use strong, unique passwords: Strong passwords decrease their likelihood of being brute-forced, and unique passwords protect against credential shuffling attacks, which rely on using one compromised password to compromise several services where the password is re-used.
• Enable multi-factor authentication: This almost entirely mitigates the risk of phishing attacks that steal credentials. Even if a password is stolen, the secondary authentication credential is still secure if phishing-resistant MFA is used.
• Stay aware of social engineering techniques: Spoofing, social proofing, exploitation of cognitive biases, and the use of urgency and fear are all common techniques used by the different types of social engineering attacks. Regular training should be undertaken so you know how to consciously and sub-consciously spot these techniques.
• Implement data security controls: If your organization is large enough, it's just a matter of time before an individual is compromised. A key differentiator between an individual being compromised and the organization as a whole being compromised is whether the attacker can laterally move and achieve their objective. By implementing strong data encryption and access control policies, you can significantly reduce the likelihood of your organization being compromised.
• Implement defensive security technologies: Threat actors will use every opportunity available to them; they will target computers, cloud applications, social media accounts, and mobile phones to gain access to an individual. Wherever possible, you should ensure employees properly separate their work assets from their personal assets. You should then ensure all communication over these work assets is monitored.
• Promote a no-blame cyberculture: In some cases, when a victim detonates a phishing payload, they realize what's happened. In cases such as these, it's absolutely crucial that the victims feel comfortable with reporting the attack and that they fell victim to it. If this no-blame cyberculture isn't adhered to, you'll miss out on these opportunities to respond to the attack before it can escalate further.