Lesson 6: Social Engineering and Insider Threats
What This Lesson Covers:
This lesson teaches you how to recognize manipulation tactics, understand internal risks, and protect your company from people who abuse trust—from external fraudsters to internal employees. This is not about firewalls or software—this is about human behavior, manipulation, and prevention.
1. What Is Social Engineering?
Social engineering is the use of psychological manipulation to trick people into giving away confidential information, performing unauthorized actions, or making mistakes. These attacks bypass technology by exploiting human emotions like urgency, fear, curiosity, or helpfulness.
💡 Example: A fraudster calls pretending to be IT support and asks you to “verify your login for maintenance.”
2. Common Social Engineering Techniques
🎣 Phishing (Email)
- Fake emails with malicious links or attachments
- Pretend to be colleagues, managers, or vendors
- Urge you to click quickly: “Your account will be suspended in 2 hours!”
📞 Vishing (Voice Phishing)
- Phone calls pretending to be HR, banks, or tech support
- Often include background noise to simulate real offices
- May ask for passwords or verification codes
💬 Smishing (SMS Phishing)
- Text messages from fake delivery services or banks
- Include tracking links or “urgent” login alerts
🧍 Pretexting
- The attacker builds a fake identity or story over time
- Appears legitimate through details: “I work with Karen in Legal.”
- Asks for sensitive access as part of their “role”
🏢 Tailgating and Piggybacking
- Following someone into the building without badging in
- Pretending to forget their card, carry coffee, or act friendly
3. The Psychology Behind It
Attackers often use these emotions:
| Emotion | Example Tactic |
|---|---|
| Urgency | “You must act now!” |
| Fear | “You’ll be fined or fired if you don’t reply” |
| Authority | “I’m calling from your bank/HR/CEO’s office” |
| Greed | “You’ve won a prize!” |
| Helpfulness | “Can you help me reset my password?” |
Awareness is your best defense.
4. What Are Insider Threats?
An insider threat is any employee, contractor, or partner who misuses access to harm the company—intentionally or accidentally.
Types of Insider Threats:
- Negligent Insiders
- Forget laptops on trains
- Use weak passwords
- Email files to the wrong person
- Malicious Insiders
- Steal data for profit or revenge
- Install spyware or backdoors
- Leak confidential files to competitors
- Compromised Insiders
- Their accounts are hacked and abused by attackers
- They are unaware they are being used
5. Real-World Cases
- 🏦 Capital One (2019): A former employee exploited a misconfigured server and stole data on over 100 million customers.
- 🏭 Tesla: A disgruntled employee installed software to exfiltrate proprietary data and sabotage internal systems.
- 📧 Twitter (2020): Social engineers tricked employees into giving access to internal tools. High-profile accounts were hijacked.
These events cost companies millions, including legal fines, PR damage, and customer loss.
6. How to Spot an Attack
| Red Flag | What to Look For |
|---|---|
| Strange sender email | Looks like your company domain but off by one letter |
| Urgent request | Says “ASAP,” “urgent,” or pressures you |
| Unusual attachment | File format is .exe, .scr, or odd document |
| Confidential request | Asks for passwords, invoices, or customer lists |
| Request to bypass protocol | “Just this once,” “I’ll owe you” |
7. How to Respond Safely
✅ Verify any suspicious requests via an independent method. Don’t reply to the same email or caller.
✅ Report incidents immediately to your IT/security team—even if you’re unsure.
✅ Follow procedures strictly. If something “feels off,” don’t proceed.
✅ Challenge strangers trying to enter your office. Ask to see ID or badge.
8. Preventing Insider Threats as a Team
You can’t prevent all attacks, but you can reduce the risk by building a strong security culture:
- Never share passwords or leave screens unlocked
- Monitor who enters and exits the building
- Speak up if you notice unusual behavior
- Avoid discussing sensitive company matters in public places or social media
- Assume no one is immune to manipulation
🧪 QUIZ – LESSON 6: Social Engineering and Insider Threats
Results
