Social Engineering - Erevio Notes

> [!abstract] In short: Social engineering is psychological manipulation, a con artist's playbook, used to trick people into revealing confidential information or taking actions that compromise security. It targets human nature, emotions, habits, and vulnerabilities rather than the technology. ## What it is Social engineering deceives people instead of breaking systems. It exploits human nature: our emotions, our habits, our willingness to trust and to help. The uncomfortable truth behind it is simple. > [!quote] Humans are the weakest link in security. ## What a long con looks like Imagine you work for a big company an attacker wants into. They find you on a dating app like Tinder, read your interests, and notice from what you've shared that you might be in a vulnerable spot. They take advantage of it, posing as a wonderful, devoted person who'd do anything for you, until you hand over or reveal what they actually came for. Sometimes it escalates into real life, with in-person meetings. All of it part of a long, patient con. The point: the attack may not look like an attack at all. It can look like attention, romance, or help. ## A real case: the Antwerp diamond heist In 2007, a man known as **Carlos Hector Flomenbaum** walked out of the ABN Amro bank in Antwerp's diamond district with roughly 120,000 carats of diamonds, worth around $28 million. The bank had a $2 million security system. He never had to touch it. His method was pure social engineering. He posed as a diamond trader and spent about a year becoming a familiar, well-liked regular: friendly, charming, bringing the staff chocolates. That patience earned him something no exploit could: the bank trusted him enough to grant VIP access to the vault, the kind given to a select few traders. Using that legitimate access, he emptied five safe deposit boxes after hours, with no forced entry and no alarm. The identity was fake (the passport had been stolen in Israel years earlier), his real name was never confirmed, and neither he nor the diamonds were ever recovered. > [!quote] Why it belongs here: > The most expensive part of the defense, the $2 million system, was completely bypassed, because the attacker was let in through the front door by people who liked him. Chocolates beat the vault. ![](https://www.youtube.com/watch?v=qXBH8RBahOI) ## How it works Five fundamental techniques: > [!info] Phishing: Pretending to be a legitimate entity or person, making the message look as real as possible to capture usernames, passwords, card numbers and so on. Variants include **spear phishing** (targeted at a specific person), **smishing** (via SMS), and **vishing** (via voice calls). > [!info] Pretexting: Inventing a scenario to engage the victim or push them into an action. For example, posing as IT support calling about a "security issue" that needs immediate verification of credentials. > [!info] Baiting: Leaving USB devices near someone's workplace and waiting for a person to pick one up, plug it into a work computer and infect it. Curiosity does the rest. > [!info] Tailgating: Exploiting politeness or someone in a rush to slip into a secure area without a badge, just because the person ahead held the door open. > [!info] Quid pro quo: Offering a benefit in exchange for information or access. Classic example: calling employees while posing as tech support, offering to "fix" a problem in return for their login. ## Impact - Data breaches - Financial losses - Reputation damage - Operational disruption ## Defenses Defenses are mostly people-focused, because the target is the human, not the system. - **Security awareness training** so people recognize the techniques above. - **Simulated phishing campaigns** to practice in a safe setting. - **Clear identity-verification procedures** before sharing anything sensitive. - **A culture where employees feel safe questioning suspicious requests**, even ones that appear to come from "the CEO". Technical controls like MFA, email filtering and endpoint protection help too, but they support good human judgment rather than replace it. > [!tip] Every other security layer assumes the attacker has to break something. Social engineering skips all of it by asking nicely. That's why the strongest defense isn't a tool, it's a person who feels allowed to say "let me verify that first."