Social Engineering – Facts, Myths and Countermeasures
Eakan Gopalakrishnan
School of Electronics and Computer Science, University of Southampton
eg5g09@ecs.soton.ac.uk
Abstract
There are several ways of stealing information;
most of them, done by exploiting the technical factors
of security and some, by exploiting the non-technical
factors. Social Engineering is a hacking technique that
relies on weaknesses in humans rather than software
systems and it has proved to be much cheaper, safer
and effective way of stealing information than
technical hacking. This aspect of security has gained
focus only in recent years and there has not been any
foolproof solution to prevent a social engineering
attack. Social engineers are often professional hackers
who combine their technical skills with soft skills to
achieve the information that they require. This
technical report takes a deeper look into the research
that has been done in this and related fields and lists
out various methods taken and weaknesses exploited
by a social engineer and also provides a list of
countermeasures that can possibly be taken to deal
with it.
1. Introduction
Threats to information are mainly of three types:
technical, physical and human in nature and today, we
are in the third generation of the information security
evolution, which has evolved from its initial focus,
which was on the security of the technology, to focus
on process related security and now, to the current
focus on the human element that manages or uses the
technologies and processes in place. This shift in focus
has only happened because of the realization that
technology and processes are only as good as the
humans that use them [2].
In simple words Social Engineering also called
“human hacking” was made famous by Kevin Mitnick.
His book [5] describes various methods of human
hacking through a series of anecdotes. His life and
stories made out of incidents in his life [15] [16] give
very detailed descriptions of how simple phone calls
could help in retrieving highly sensitive and
confidential information from a variety of sources.
In the next few sections the impacts, methods,
concept of social engineering and some
countermeasures shall be elaborated.
2. Social Engineering and its Impacts
Incidents till date have shown that attacks often
result in network outage like denial of service or fraud,
identity theft and industrial espionage [4]. Even the
FBI has been a victim of such social engineering
attacks; Robert Hanssen case [17], proves that even the
best of security measures cannot prevent social
engineering attacks.
The financial losses that a social engineering attack
could cause can be very high, in fact insurers are
beginning to cover losses arising through security
breaches. Small to medium sized companies could
even go bankrupt due to such attacks. But the cost of
reputation and goodwill of the company is the biggest
impact of any security breach; be it technical or non
technical; but non-technical attacks often leave a
company humiliated, with negative media publicity,
possible legal proceedings or settlements, increase in
surveillance and interference from regulatory
authorities, fines and other regulatory consequences.
3. Motivation for Attack
Motivation for social engineering attacks or any
hacking attack could be similar to that of any other
crime. Some of them are: i)Wealth: the financial gain
achieved through the attack. ii)Curiosity: personal
interest in the field of hacking, or mere curiosity to
know how things work. iii)Revenge: for satisfying
egocentric desires because of bitter experience caused
by someone or a previous employer.
4. Methods of Attack
A typical Social Engineering attack involves i) a
thorough background information collection of the
target company or person ii) use of the background
information to attain further details mostly through
impersonation techniques iii) the next step would either
lead to the required information or back to step 2. This
loop can go on many times The attacks can be
classified in many ways but one particularly good way
of doing it is into two broad classes [4]: i) human
based approach through face-2-face (Direct)
interactions to force the victim to give information and
ii) technology based (indirect) approach that deceives
the user through electronic communication.
4.1. Direct Approach
Hackers often have good people skills. In the direct
approach the hacker creates a psychological situation
or environment for getting information through direct
interaction. This can be done in several ways and some
of them are listed here [4] [8] [1] [14] [7]: i)Friendship:
obtaining information by being a friend of a potential
victim. This makes use of the human weakness of
complying readily with people they know.
ii)Impersonation: creating a character and playing out a
role to deceive and obtain information. iii)Conformity:
making use of the fact that if you behave like everyone
else, you’ll be considered one of the herd; also known
as social proof, often used to convince an employee
that other employees have complied to the request.
iv)Responsibility diffusion: convincing an employee
that their colleagues have complied to the request in
spite of that being a breach of the security policy,
thereby making the employee feel it’s not just him who
would be responsible. v)Decoy: exploiting the human
weakness of being able to focus on one thing at a time.
Creating distractions that mislead others, targets are
distracted from their usual security focus. vi)Reverse
Social Engineering [18]: getting the target come and
offer the attacker what he requires. This technique
requires a great deal of preparation and research
beforehand. The decision to comply with this type of
attack is mostly because of the reciprocity rule; the act
of returning a favour. vii)Commitment: people tend to
agree to further requests of the attacker if they are in
keeping with prior commitments. viii)Scarcity: people
value opportunities that are less available. Target can
be pressurised to give out information when he thinks
help from normal channels is only available for a
limited time. This is also used in phishing mails where
limited time offers are given. ix)Authority:
impersonating someone with authority. Human
weakness of obedience to authority works here.
x)Sympathy: An attacker eliciting that he needs help
can win over a target’s sympathy and gradually
achieve what he wants. xi)Guilt: an attacker could
convince their victims that he would suffer greatly if
they didn’t comply to his request, thereby making them
feel guilty for his situation and giving out sensitive
information. xii)Equivocation: The method of
deliberately creating ambiguity or uncertainty in the
request which starts out sounding reasonable to the
victim and turns out to be something else.
xiii)Ignorance: Impersonating someone who knows
little, like a new comer who does not know how things
work. xiv)Affiliation: name dropping, proclaiming
association with collective organizations reduces the
victim’s suspicion on the attacker’s motives. xv)Road
Apple: the attacker leaves something like a CD or
portable storage medium, which looks legitimate and
also like it was classified as top secret or intriguing
where the target might find it and would possibly try
and use it. On running, it would install a Trojan or sort
and collect information that is required and send back
to the attacker. xvi)Desktop Hacking: usually done
when targets forget to lock their desktop systems and
leave for a while, the attacker uses the opportunity to
take a sneak peek into the target’s files for information.
The methods listed above are mostly psychological
tactics of persuasion. Generally a hybrid of the above
mentioned attacks are used to obtain sensitive
information. Different methods are used depending on
factors like the source of information, the level of
security that it is stored in, etc.
4.2. Online Method
Although social engineering is mostly done in
person, it can also be done using the internet. While the
direct approach focused on obtaining trust and getting
sensitive information like passwords from the person
with consent, such methods often focus on getting
passwords without consent. One weakness that makes
this method very successful is that many users often
keep the same password for all their accounts including
financial institutions.
Some of the ways in which this can be done are: [4]
[7] i)Awards: attackers send out enticing offers or
“awards” and ask the user to enter their personal
information. ii)Pop-up windows: duplicate windows
resembling the originally intended web site could pop
up and make the victim unknowingly type in login
information to this new pop up window. iii)Network
Sniffing: monitoring network traffic for passwords;
mostly done by gaining confidence of someone who
has authorized access to the network. iv)Email: emails
containing malicious software that collect user
information without the user’s knowledge. v)Phishing:
this is a popular form of social engineering which
involves using email and web sites that look like those
of well known businesses or institutions to deceive
users into disclosing information. There are different
variants of phishing too. vi)Harvesting Social
Networks: use freely available personal information
from social networking web sites. vii)Instant
Messaging and IRC software often allow running
complex scripting and dynamic content this is also
used by attackers.

4.3. Background Information Collection
Before attempting a social engineering attack a lot
of background information is to be collected [9] [4]
[7]. Some of the ways of doing this are listed as
follows: i) Research on Available Sources: most of the
background information required to prepare for the
attack is often or almost always available online.
Searching an open source of information like the web
is the best way to obtain background information about
a person or a company. ii)Dumpster Diving: This is the
method of collecting information without interacting
with people and by just searching in individual or
company dumpsters that might contain sources of vital
information like phone books, address books, official
calendars, invoices, system manuals, printed source
code, storage devices, policy manuals, etc..
5. Previous Models of Social Engineering
The closest research work associated in this area is
in the area of Trust. Trust is subjective. The decision to
trust someone or not may be intentional, or
subconsciously taken. The Click and Whirr approach
[12], [13], [14] is an easy method of manipulating
trust. Humans have a tendency to automatically
respond to stimuli, fixed action patterns, which can be
activated by a trigger feature. The phrase Click and
Whirr is explained in [14] as “Click and the
appropriate tape is activated, whirr and out rolls the
standard sequence of behaviours”. Humans tend to
comply to a request if a reason is also given with it,
even if that makes no sense. The “because” triggers the
standard sequence of behaviours. The contrast
principle is the key to persuasion, which states if there
exists a difference between two things, we tend to see a
greater difference than that actually exists. A
persuasive request should resonate within their
audience; should stimulate stored impressions, hopes,
fears and desires, by suggestion. A person’s
compliance to another person’s request can be
understood in terms of human tendency to shortcut
response [11]. This set of standard responses often
depends on the trust involved. If the attacker attains the
target’s trust then he is likely to get what he requested
for. This trustworthiness of an attacker is again
dependent on four factors: benevolence, reputation,
performance and appearance of the attacker; where
benevolence is about the perception of good or bad
intentions, reputation is about the past deeds,
performance is about the external features, dress,
worldly possessions or lack of it, and actions. In fact
the social engineer is not the real opponent when it
comes to complying with a request; the attacker only
triggers the weaknesses in humans that result in a
favourable response; which explains why humans are
truly the weakest links in a security system.
6. Why it still works?
An attacker should possess skills and tools
necessary for the attack, like a good opportunity to
execute the attack and have a motive behind the attack.
When all three factors are in place, the attack is almost
always successful. Humans tend to act or take
decisions according to three factors, the user, the
technology and the environment/context in which the
interaction takes place as explained previously in
section 4.1 and 4.2 [3]. Psychological factors like
credibility, pressure, in-attention etc. help in deceiving
a person.
According to [5] potential targets are usually: those
who are unaware of the value of information, those
who have special privileges, organizations that
manufacture hardware of software, specific
departments that have potentially valuable information.
Now that would mean that anyone who has access to
any part of the system would be a potential target.
Even today technologies like firewall are given more
than required attention while people and processes are
being overlooked partially or completely. Mitnick
sums it up as “You could spend a fortune purchasing
technology and services...and your network
infrastructure could still remain vulnerable to old-
fashioned manipulation.” This vulnerability is mostly
due to lack of awareness of such attacks among
employees of organization; due to the fact that some
organizations underestimate such social engineering
attacks and often ignore this in their employee security
awareness programs.
Humans always tend to retain their weaknesses in
spite of training or awareness, thus there still lies an
opportunity for the attacker.
7. Countermeasures
D. Cragg developed a multi-level defence
mechanism against social engineering attacks [10];
which is indeed the best defence strategy against social
engineering; so that even if a hacker penetrates one
level, he would be stopped at the other. It has levels
that address specific categories of people, environment
and technology, that includes spreading awareness [6],
setting up a good security policy, providing resistance
training to individuals who does key support jobs,
putting up a call back servicing policy for requests to
helpdesk pertaining to authorization or password
change, secret or bogus questioning policy for help
desk personals and methods to finally respond to an
attack. And for security policy designers, Technique
for Human Error Rate Prediction be used [3]to
quantify the vulnerability levels in different system-
human setups.
8. Conclusion
Humans are prone to making errors and as social
engineering is an attack on human weaknesses it is
quite impossible to prevent such attacks. Human
factors research has provided many contributions to
reduce human errors. Incorporating such techniques by
conceptualizing the system as an inter-related
mechanism of humans, technology and environmental
factors and by creating a multilevel defence strategy
would help in mitigating social engineering attacks
even though its risk cannot be completely eliminated.
9. References
[1] P. O. Onkeyi, T.J. Owens, “On the Anatomy of Human
Hacking”, Information Security Systems, Vol. 16, no.6, pp.
302-314, Nov 2007
[2] M. Dontamsetti, A. Narayanan, “Impact of Human
Element on Information Security”, Social and Human
Elements of Information Security: Emerging Trends and
Countermeasures, Information Science Reference, Section 1,
Chapter 3, pp. 27-42.
[3] R. West, C. Mayhorn, J. Hardee, J. Mendel, “The
Weakest Link: A Psychological Perspective on Why Users
Make Poor Security”, Social and Human Elements of
Information Security: Emerging Trends and
Countermeasures, Information Science Reference, Section 1,
Chapter 4, pp. 43-60.
[4] L. Laribee, “Development of Methodical Social
Engineering Taxonomy Project”, Thesis at Naval
Postgraduate School, Monterey, California, June 2006
[5] K. Mitnick, W.L. Simon, “The Art of Deception:
Controlling the Human Element of Security”, John Wiley and
Sons, October 2002
[6] C. Rhodes, “Safeguarding against Social Engineering”,
East Carolina University, 2007,
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.
5142&rep=rep1&type=pdf
[7] M Nohlberg, “Social Engineering: Understanding,
Measuring and Protecting Against Attacks”, Thesis Proposal,
University of Skovde, Sweden, June 2007.
[8] R. Gulati, “Threat of Social Engineering and your defense
against it”, GIAC Security Essentials Certification Practical
Assignment, SANS Institute 2003,
“http://cnscenter.future.co.kr/resource/security/hacking/1232.
pdf”
[9] Granger, S. (2001) “Social engineering fundamentals,
Part I: Hacker tactics”, Cited on 9 November
2009, “http://www.securityfocus.com/infocus/1527”
[10] D. Gragg, “A Multi-Level Defense against Social
Engineering”, SANS Reading Room, 2003,
“http://southwestans.com/Resources/docs/social/A%20Multi-
Level%20Defense%20Against%20Social%20Engineering.pd
f”
[11] P. Sztompka, “Trust: A Sociological Theory”,
Cambridge University Press, 1999
[12] S. Chen, S. Chaiken, K. Duckworth, “Motivated
Heuristics and Systematic Processing”, Psychological
Inquiry, Vol 10, No.1, 1999,
“http://www.jstor.org/pss/1449522”
[13] R.E. Petty, D.T. Wegener,”Thought Systems, Argument
Quality and Persuasion”, Advances in Social Cognition :
Content, Structure, Operation of Thought Systems, Vol. 4,
LEA, Chapter 8, pp. 147-162
[14] R.B. Cialdini, “Influence: Science and Practice”,
“http://www.influenceatwork.com/Media/RBC/Influence_SP
.pdf”, 2001
[15] J. Littman, "The Fugitive Game: Online with Kevin
Mitnick", Little Brown and Company (Canada) Limited,
1997
[16] J. Markoff, "Takedown: The Pursuit and Capture of
America's Most Wanted Computer Outlaw", 1995
[17] Robert Hanssen sentenced to Life Prison, Chicago
Tribune, 4th July, 2001.
http://www.encyclopedia.com/doc/1G1-120411617.html
[18] E. Nelson, R. “Methods of Hacking: Social
Engineering,” the Institute for
Systems Research, University of Maryland, 2001.
10. Bibliography
[19] C. Pfleeger, S. Pfleeger, Security in Computing, 4th
Edition, Pearson Education Inc, 2006.
[20] S. McClure, J. Scambray, G. Kurtz, Hacking Exposed 6
: Network Security Secrets and Solutions, McGraw Hill
Publishers, 2009.
[21] K. Mitnick, W. Simon, The Art of Intrusion – The real
stories behind the Exploits of Hackers, Intruders and
Deceivers, Wiley Publishing, 2006.
[22] G. Notoatmodjo, “Exploring the Weakest Link: A study
of personal password security”, Thesis submitted at
University of Auckland, New Zealand, December 2007

[23] J. Rusch, “The ‘social engineering’ of Internet fraud”,

Paper presented at the 1999 Internet Society's INET'99
conference,“http://www.isoc.org/isoc/conferences/inet/99/pro
ceedings/3g/3g_2.htm”

[24] M. Gupta, R. Sharman, Social and Human Elements of

Information Security: Emerging Trends and
Countermeasures, Information Science Reference, 2009.