Social engineering is essentially the
act of manipulating people into
giving access to confidential
information or areas, rather than
using force or hacking. The
information they seek can be
anything from passwords to bank
details, or even employee records
Some common social engineering
techniques include pretexting,
baiting, tailgating, and - most
prominently – phishing. All of these
tactics differ from each other slightly,
but they all depend on the attacker’s
ability to trick the victim into trusting
1. Check Email Addresses
The display name might look authentic, but
email addresses are much harder to falsify.
With many companies purchasing their own
domain names, attackers often have to alter
the spelling slightly – in our example you can
see that the domain replaces the O in
‘Amazon’ with an A.
If an email from an unknown source
includes lots of pushy links or buttons
be wary; they can often harbour
malicious software that can log your
keystrokes or take you to a convincing
website where they can steal your
Avoiding links altogether is the best
practice, but if it seems to be for an
important page try using a trusted
search engine to find it instead, or
hover over the link before clicking to
reveal the URL.
3. The Context
Different social engineering tactics use
different methods to try to persuade the
user into complying.
In this instance, the message offers a
reward in exchange for following the
link, which is an example of a baiting
Other tactics may offer a service or use
urgent language to scare the target into
clicking through the link.
4. Too good to be true
The biggest give-away with scam
emails is that they always go for the
big flashy prizes, or large sums of
In this instance, the example doesn’t
give an amount for the refund, but
it does offer a scenario, meaning
you can easily check your bank to
see if you really were ‘double
charged’ before proceeding.
For more topics and training material visit the Boxphish website.