Deception is the primary mechanism in social engineering. It is used to create trust, sympathy, fear, greed, or urgency—anything to induce the victim into revealing information or doing something they shouldn't. The following are some common deception techniques used in social engineering.
Posing as someone/something you're not:
- A beleaguered fellow employee who needs you to look up some information for them.
- An authority figure from a government agency or law enforcement threatening to arrest you or penalize you with stiff fines.
- A new employee, especially in a directorship position, needing your help.
- Someone from the IT department wanting you to re-enter your credentials into a newly rebuilt database.
- A vendor or systems manufacturer warning you about a critical security vulnerability and offering to send you a patch.
- A customer trying to reset their login portal password.
- A co-worker or business associate who uses insider lingo to gain trust, while asking you to perform some task for them.
- A friend or relative who is in trouble and needs your help.
- A vendor or creditor insisting that you pay a long-overdue payment.
Offering something the victim doesn't really need:
- Distributing malware disguised as free music, software, games, or funny videos.
- Offering help if a problem occurs, then causing the problem to occur so the victim calls for your help.
- Sending false pop-up windows or messages asking a user to provide credentials.
- Sending an email with an infected attachment.
- Posting a link to a malicious site on social media.
- Leaving a USB stick, memory card, or DVD laying around the workplace with malicious software on it.