Social Engineering Attacks: Physical Tactics and Psychological Manipulation

Social engineering isn't just phishing — it includes physical attacks like tailgating, shoulder surfing, and dumpster diving. Understanding these techniques is essential for the Security+ exam.

Physical Social Engineering Attacks

Tailgating (Piggybacking) — an unauthorized person follows an authorized person into a restricted area. The attacker exploits politeness or uses an excuse (forgot badge). Mitigation: mantrap (two-door interlocking system), security awareness training, and policies requiring badge access only.

Shoulder Surfing — observing someone as they enter credentials or view sensitive information. Can be done from a distance using binoculars or cameras. Mitigation: privacy screens, awareness training, and positioning screens away from public view.

Dumpster Diving — retrieving information from discarded materials (paper documents, old hard drives, sticky notes). Mitigation: shredding policies, secure disposal, and degaussing/destroying storage media.

For the Security+ exam, recognize these as physical security vulnerabilities that require a combination of technical controls and user awareness.

  • Tailgating: following authorized personnel into restricted areas
  • Shoulder surfing: observing credentials or sensitive information
  • Dumpster diving: collecting information from improperly discarded materials
  • Physical access controls: mantraps, security guards, CCTV, badge readers

Psychological Manipulation Techniques

Pretexting — fabricating a scenario to obtain information. The attacker creates a believable story (impersonating IT support, a vendor, or a government official) and asks targeted questions. More elaborate than phishing — may involve research and multiple interactions.

Baiting — offering something enticing to trick the victim. Examples: leaving infected USB drives labeled 'Confidential' in the parking lot, fake software downloads offering free tools, or tempting ads. The bait carries malware or leads to credential harvesting.

Quid Pro Quo — offering a service or benefit in exchange for information. Example: an attacker calls pretending to be a researcher offering a gift card in exchange for completing a survey that harvests security questions.

Watering Hole — compromising a website that the target group frequently visits. The attacker infects the trusted site to compromise visitors. Harder to detect than direct phishing because the victim visits a legitimate site.

  • Pretexting: fabricated scenario with research and role-playing
  • Baiting: enticing offer (free USB drive, software download) carrying malware
  • Quid pro quo: fake service or reward in exchange for information
  • Watering hole: compromising a trusted site that targets visit

Influence Tactics Used by Attackers

Social engineers exploit psychological principles: Authority (impersonating executives, law enforcement, or IT admins who expect compliance), Urgency (creating time pressure to bypass critical thinking), Social Proof (claiming others have already complied), Scarcity (limited time offer or exclusive access), Likability (being friendly and helpful to lower defenses), and Fear (threatening consequences if information isn't provided).

For the Security+ exam, be able to identify which influence tactic is being used in a scenario. The combination of authority + urgency is particularly dangerous.

  • Authority: impersonating someone with power (executive, law enforcement)
  • Urgency: time pressure prevents careful thinking
  • Social proof: 'everyone else is doing it'
  • Scarcity: limited-time offers or exclusive access
  • Fear: threatening negative consequences

Preventing Social Engineering

Security awareness training is the primary defense. Users should recognize red flags: unexpected requests for sensitive information, pressure to bypass normal procedures, unusual sender addresses, and requests that create urgency.

Technical controls: security policies (clear desk policy, visitor management), physical controls (mantraps, badge access, CCTV, privacy screens), and data controls (shredding bins, USB port blocking, DLP systems).

Verification procedures: always verify identity through a separate channel. If someone claims to be IT support calling about an issue, hang up and call the official IT support number. Never trust caller ID.

  • Awareness training is the most effective defense
  • Verify identity through a separate, trusted channel
  • Security policies: clear desk, visitor badges, shredding requirements
  • Physical controls: mantraps, CCTV, badge readers, privacy filters
  • Report suspicious activity — don't ignore or engage

Exam Tip

Social engineering scenarios are common on Security+. Know the physical attacks (tailgating, shoulder surfing) vs psychological (phishing, pretexting, baiting). Influence tactics: authority + urgency is the most dangerous combination. Verification is the key defense.