Social Engineering & Phishing
Not every attack targets a machine. The easiest target is often a person.
Social engineering is the psychological manipulation of people into taking actions or giving up confidential information.
Tactics
- Phishing, fake emails that look legitimate, to steal passwords or deliver malware.
- Smishing & vishing, the same idea over SMS (smishing) or voice calls (vishing).
- Baiting, leaving something tempting (a "free" USB drive) for a victim to pick up and plug in.
- Pretexting, inventing a believable story ("I'm from IT support") to extract information.
- Tailgating, physically following an authorized person through a secure door.
The four psychological triggers
Attackers push the same emotional buttons again and again:
| Trigger | Example line |
|---|---|
| Urgency | "Your account will be suspended in 24 hours." |
| Authority / trust | "I am the CEO, click this link and fill the form." |
| Fear | "Your account was logged in from Russia." |
| Greed | "You have won Rs 50,000 in a lucky draw." |
If a message makes you feel one of these strongly and suddenly, slow down, that feeling is the attack.
Phishing up close
Phishing uses fake messages that appear to come from a real person or organisation. Variants by target:
- Spear phishing, aimed at one specific individual.
- Whaling, aimed at "big fish": CEOs, CFOs, top executives.
- Pharming, redirecting a victim's web traffic from a legit site to a fraudulent one (often via DNS poisoning).
Techniques to recognise
- Domain name manipulation:
google.comvsg00gle.com(zeros for o's). - URL masking: the visible text says
saarathiacademy.com.npbut the real link goes tophisher.test. - Homograph attacks: letters from other alphabets that look identical,
gооgle.commay use Cyrillic "о". - Typosquatting: registering common misspellings,
gooogle.com,facebok.com,amazom.com. - Brand impersonation: copying logos and design of banks, Google, Microsoft, or government portals.
- Attachment-based: malware disguised as documents,
invoice.pdf.exe,report.docm. - Email spoofing: faking the From address so a message appears to come from a trusted sender.
A note on the physical world
Social engineering is not only digital. RFID cloning, copying the wireless signature of an access card, lets an attacker walk through a door they were never given a key to. Same principle: exploit trust in something that looks legitimate.
Takeaway
Technology can be patched; people cannot. The defense is awareness, verify before you trust, especially when a message is urgent, authoritative, frightening, or too good to be true.