1.1

Tailgating

Shoulder Surfing

Dumpster Diving

Phishing

Spear Phishing

Whaling

Vishing

Hoax

Watering Hole Attack

an attempt by an attacker to convince someone to provide info (like a password) or perform an action they wouldn’t normally perform (such as clicking on a malicious link)

Social engineers often try to gain access to the IT infrastructure or the physical facility.

commonly used to try to trick users into giving up personal information (such as user accounts and passwords), click a malicious link, or open a malicious attachment.

targets specific groups of users

targets high-level executives

(voice phishing) phone-based

uses sms(text) messaging on mobile

Unsolicited email, generally considered an irritant

SPAM over instant messaging, also generally considered an irritant

Gathering important details (intelligence) from

things that people have thrown out in their trash.

(Legal, might target individuals or organizations)

when an unauthorized individual might follow you in through that open door without badging in themselves.

strategic use of casual conversation to extract information without the arousing suspicion of the target

a criminal practice where thieves steal your personal data by spying over your shoulder

an online scam similar to phishing, where a website's traffic is manipulated, and confidential information is stolen.

use of another person's personal information, without authorization, to commit a crime or to deceive or defraud that person or other 3rd party

Prepending is adding words or phrases like “SAFE” to a malicious file or suggesting topics via social engineering to uncover information of interest.

fake invoices with a goal of receiving money or

by prompting a victim to put their credentials

into a fake login screen.

attackers trying to gain access to your usernames and passwords that might be stored on your local computer

email defense, anti-malware, EDR/XDR solutions that will check URLs and block the scripts often used to execute the attack

Techniques that do not send packets to the target; like Google hacking, phone calls, DNS and WHOIS lookups

Touches the target with packets in a non-aggressive fashion to avoid raising alarms of the target

More aggressive techniques likely to be noticed by the target, including port scanning, and tools like nmap and Metaspoit

Intentional falsehoods coming in a variety of forms ranging from virus hoaxes to fake news. Social media plays a prominent role in hoaxes today

A form of fraud in which attackers pose as a known or trusted person to dupe the user into sharing sensitive info, transferring money, etc.

Attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware

a form of cybersquatting (sitting on sites under someone else’s brand or copyright) targeting users who type an incorrect website address

an attacker tries to convince a victim to give up information of value, or access to a service or system.

A social engineering attack intended to manipulate the thoughts and minds of large groups of people

Attack using a mixture of conventional and unconventional methods and resources to carry out the campaign, can use social media and fake accounts

Authority

Intimidation

Consensus

Scarcity

Familiarity

Trust

Urgency

Citing position, responsibility, or affiliation that grants the attacker the authority to make the request

Suggesting you may face negative outcomes if you do not facilitate access or initiate a process.

Claiming that someone in a similar position or peer has carried out the same task in the past.

Limited opportunity, diminishing availability that requires we get this done in a certain amount of time, similar to urgency.

Attempting to establish a personal connection, often citing mutual acquaintances, social proof

Citing knowledge and experience, assisting the to target with a issue, to establish a relationship.

Time sensitivity that demands immediate action, similar to scarcity