1
Evolution of Social Engineering

4
4
Social Engineering Definition
• “… uses psychological manipulation to trick users into making security mistakes or
giving away sensitive information.”
Imperva (Oct 2022) https://www.imperva.com/learn/application-security/social-engineering-attack/
• “… the art of manipulating people so they give up confidential information."
Webroot (Oct 2022) https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering
• “… a manipulation technique that exploits human error to gain private information,
access, or valuables ... Once an attacker understands what motivates a user’s
actions, they can deceive and manipulate the user effectively."
Kaspersky (Oct 2022) https://www.kaspersky.com/resource-center/definitions/what-is-social-
engineering

6
https://www.newsfirst.lk/2022/10/28/massive-crypto-fraud-of-us-
37-mn-uncovered-in-sri-lanka/

8

9
Social Engineering Principles
Social Engineering
Principles (Reasons
for Effectiveness)
Authority and Trust
Intimidation
Consensus and
Social Proof
Scarcity
Urgency
Familiarity and Liking
https://xmind.app/embed/ERb5/

10
Model for Social Engineering Attacks
Wang, Z., Zhu, H., & Sun, L. (2021). Social Engineering in
Cybersecurity: Effect Mechanisms, Human Vulnerabilities and
Attack Methods. IEEE Access, 9, 11895–11910.
https://doi.org/10.1109/ACCESS.2021.3051633

11
Model for Social Engineering Attacks
Wang, Z., Zhu, H., & Sun, L. (2021). Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities
and Attack Methods. IEEE Access, 9, 11895–11910. https://doi.org/10.1109/ACCESS.2021.3051633

12
12
Why does it work?
Human Attributes Social Engineering Technique
Trust – People are trustworthy where it is easy to
gain trust with victims
• Direct approach
• Technical expert
The desire to be ‘helpful’ – Most people are kind • Direct Approach
• Technical expert
• Voice of Authority
The wish to get something for nothing • Chain email
• SMS
Curiosity • Open email attachments from unknown
senders
• Spam
Fear of the unknown, or of losing something • Popup window
Ignorance • Direct Approach
• Dumpster diving
https://www.academia.edu/8216745/Social_Engineering_it_s_impact_on_organization

13
13
Doesn’t matter who you are
https://www.cert.gov.lk/2?lang=en&id=3

14
Doesn’t matter who you are
Australian Statistics for 2022

15
Doesn’t matter who you are
https://www.scamwatch.gov.au/scam-statistics
Australian Statistics for 2022

16
Doesn’t matter who you are

18
The art of the con (Demo)

19
The Psychic Card Trick

21
Pick a card - any card

22
Is your card here?

24
24
Influence of technology
https://www.dogana-project.eu/index.php/social-engineering-blog/11-social-engineering/98-se-evolution

25
25
Social Engineering Attack Framework
Mouton, F., Leenen, L., & Venter, H. S. (2016). Social
engineering attack examples, templates and
scenarios. Computers & Security, 59, 186–209.
https://doi.org/10.1016/j.cose.2016.03.004

26
26
Life cycle of attack
https://www.imperva.com/learn/application-security/social-engineering-attack/

27
Type of attacks
• Pre-texting
• Baiting
• Quid Pro Quo
• Scareware
• Phishing, Smishing, Vishing,
Whaling
• Telephone-oriented Attack
Delivery (TOAD)
• Tailgating
Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack
examples, templates and scenarios. Computers & Security, 59, 186–209.
https://doi.org/10.1016/j.cose.2016.03.004

28
28
Phishing statistics
• 18-39yr old's average click rate of 29%, drops to 19%
among older age groups.
• 23% of male participants opened a phishing email
compared to 10% for woman.
• Public sector organizations were the most vulnerable to
phishing attacks (with an average click rate of 36%)
https://betanews.com/2022/10/13/older-generations-are-
less-likely-to-click-phishing-emails/

29
Social Engineering Toolkit
https://github.com/trustedsec/social-engineer-toolkit

30
30
Social Engineering Toolkit

31
31
Attack vectors / infection points
• QRLJacking
https://www.owasp.org/index.php/Qrljacking

32
Fake profiles

33
33
Real or Not?

34
34
Real or Not?
https://this-person-does-not-exist.com/en

35
35
Real or Not?

36
36
Real or Not?
https://drdavidhamilton.com/fake-social-media-profiles/

37
37
How to Detect a Fake Profile
• Profile photo
– Do a search using the image
– https://support.google.com/websearch/answer/1325808
• Username
• The Biography
• Profile content
• Number of followers

38
38
How to Report a Fake Profile
• Twitter
– https://help.twitter.com/en/forms/authenticity/impersonation
• Instagram
– https://help.instagram.com/contact/636276399721841
• Facebook (Meta)
– https://www.facebook.com/help/306643639690823
• LinkedIn
– Click the More icon on the member’s profile.
– Click Report or block.
• TikTok
– Go to the profile of the account you want to report.
– Tap the Settings icon
– Tap “Report” and follow the steps in the app.

39
39
How to Report a Fake Profile
https://www.cert.gov.lk/view?lang=en&articleID=267

40
Deep Fakes

41
41
Real or Not?
https://youtu.be/l_6Tumd8EQI?t=70

42
Deep Fakes
• Deepfake technology allows users to
impersonate others with startling accuracy.
– Deep Video Fakes
(https://youtu.be/kOIMXt8KK8M)
– Deep Voice Fakes
(https://youtu.be/0ybLCfVeFL4)
• Anyone can find deepfake software and services
on the internet and have a relatively convincing
representation of another person within minutes.
– https://github.com/iperov/DeepFaceLab
– https://github.com/sibozhang/Text2Video
• Synthetic Identities are created by applying for
credit using a combination of real and fake, or
sometimes entirely fake, information.

43
43
Deep Fakes
https://arxiv.org/abs/2005.05535

44
44
Deep Fakes
https://youtu.be/0ybLCfVeFL4?t=83
Text-based Editing of Talking-head Video

45
Deep Fakes
• … with the help of deepfakes,
fraudsters can orchestrate social
engineering attacks that appear
to come from a friend or
colleague, that is, someone we
know and trust and whose
motives do not need to be
questioned.

46
Deep Fakes

47
Questions?