Social engineering

Social engineering is the art of manipulating people into giving up confidential information, clicking malicious links, or taking actions that bypass technical security. It's effective because it targets humans, not systems — and humans can be tired, polite, fearful or just curious.

AQA highlights four techniques: blagging, phishing, pharming and shoulder surfing.

1. Blagging (pretexting)

The attacker invents a pretext — a plausible scenario — and uses it to extract information.

Example: a phone call claiming to be from your bank asking you to confirm your card number "to verify a suspicious transaction". The "bank" is actually a scammer.

Common pretexts:

• IT support needing your password "to fix" a problem.
• HMRC threatening prosecution unless you pay.
• A delivery driver claiming you missed a parcel and need to confirm details.

Defence: never give credentials to someone who contacted you. Hang up and call back on the official number.

2. Phishing

Sending bulk fake emails that appear to come from a trusted organisation, tricking recipients into clicking malicious links or downloading malware.

Signs of a phishing email:

• Urgent language: "Your account will be locked!".
• Generic greeting: "Dear customer".
• Suspicious sender address: security@bnk.co.example.
• Links that don't match the displayed URL (hover before clicking).
• Spelling and grammar errors.
• Unexpected attachments.

Spear phishing is targeted phishing — the attacker has researched the victim and personalises the message.

Whaling is spear phishing aimed at executives.

Defence: don't click links in unexpected emails; type the address by hand; verify with the company.

3. Pharming

Redirects a victim from a legitimate website to a fake one, even if they typed the correct URL. Achieved by:

• Compromising the victim's local machine (e.g. modifying the hosts file).
• Compromising DNS so the legitimate name resolves to the attacker's IP.

The fake site looks identical and harvests credentials.

Defence: HTTPS / certificate checks (the padlock should be present and the certificate valid for the right domain), DNS security, antivirus, browser warnings.

4. Shoulder surfing

Watching someone's screen, keyboard or PIN entry over their shoulder in person. Low-tech but effective in cafes, on trains, at ATMs.

Defence: privacy screens, awareness of surroundings, shielding the keypad, not entering passwords in public.

Why social engineering works

• Authority — people obey "the boss" or "the bank".
• Urgency — "Act now!" overrides careful thinking.
• Reciprocity — "I'm helping you, so help me".
• Social proof — "Everyone else has confirmed".
• Curiosity — "Look at this picture of you?".
• Fear — "Your account is compromised!".

Even technically savvy users fall for well-crafted attacks, especially when tired or distracted.

From: security@netfllix-billing.com
To: a.smith@example.com
Subject: URGENT: Your subscription will be cancelled

Dear customer,

We were unable to process your payment. Click below to update your card details.
[Click here]

Defending against social engineering

• User education — train staff to recognise common patterns.
• Verification procedures — require call-backs, confirmation by another channel.
• Reporting culture — make it easy and shame-free to report suspected attacks.
• Technical defences — email filtering, DMARC, browser warnings.
• Reduce attackable surface — limit who has access to sensitive data.