Social Engineering :
Understanding the Dangers
National Digital Payments Network Sdn Bhd
July 2023
07/08/2023 CONFIDENTIAL 1
� Social Engineering Methods
07/08/2023 CONFIDENTIAL 2
� What is Social Engineering?
The definition
“Social Engineering refers to the manipulation of individuals to obtain
confidential information or gain unauthorised access”
• Instead of exploiting technical vulnerabilities from infrastructure or software, it exploits human psychology.
• Attackers will often use deceptive tactics to trick individuals into revealing sensitive information or
performing actions that compromise security
07/08/2023 CONFIDENTIAL 3
� Phishing Attacks
Summary of Phishing Attacks
• The most common and prevalent social engineering
attacks.
• It involves fraudulent emails or messages designed to
trick recipients into revealing sensitive information or
performing malicious attacks.
• Examples include email scams, fake login pages, and
requests for personal or financial details.
• Phishing attacks can lead to identity theft, financial
loss, and unauthorised access to systems
07/08/2023 CONFIDENTIAL 4
� Examples of Phishing Attacks
Example 1 - PayPal
07/08/2023 CONFIDENTIAL 5
� Examples of Phishing Attacks
Example 2 – HTML Attachment
07/08/2023 CONFIDENTIAL 6
� Pretexting Attacks
Summary of Pretexting Attacks
While Phishing relies on fear and urgency, Attackers may impersonate colleagues,
Pretexting aims to build a sense of trust with authorities, or trusted entities to deceive
the victim victims.
They often use phone calls or emails to
Pretexting attacks can result in data
gather sensitive information or persuade
breaches, unauthorized access, or
individuals to take certain actions.
compromise of our infrastructure.
07/08/2023 CONFIDENTIAL 7
� Pretexting Attacks
Summary of Pretexting Attacks
07/08/2023 CONFIDENTIAL 8
� Pretexting Examples
Famous Pretexting Events
• In 2006, Hewlett-Packard hired private investigators to see if board members were leaking news to the
press. To do this, the PI’s posed as board members and managed to extract their call records from
phone companies.
• In 2015, Ubiquiti Networks Inc. transferred $39.1 million dollars to a scammer posing as a trusted
employee acting on behalf of top executives. This is also known as a CEO fraud scam.
• In 2017, MacEwan University transferred $9 million dollars to a fraudster posing as a vendor and
requesting staff members to update their payment details via email.
07/08/2023 CONFIDENTIAL 9
� Pretexting Techniques
Common Pretexting Techniques
• Impersonation – Mimics the actions of someone else, typically a person the victims trusts, such as a friend or co-
worker. This requires establishing credibility, usually done through phone numbers or email addresses of fake
organizations or people.
• Tailgating/Piggybacking – Gaining unauthorised entry into physical secured locations by posing as an authorised
individual, or by detecting faults in security or processes. Pretending to have misplaces tags/posing as a vendor.
• Baiting – Lures a target into a trap to steal sensitive information or spread malware. Possibly involves giving them
a flash drive with malware on it. The bait frequently has authentic looking elements on it such as company logo.
• Scareware – Overwhelms targets with messages of fake dangers. For example, a scareware attack may fool a target
into thinking malware has been installed on their computer. The victim is then asked install “security” software,
which is actually malware.
07/08/2023 CONFIDENTIAL 10
� 2023 Phishing Tactics
New tactics used by Fraudsters to bypass filters
07/08/2023 CONFIDENTIAL 11
� Translation-Based Phishing
Using Google Translate to Mask URL
07/08/2023 CONFIDENTIAL 12
� Image-Based Phishing
No text in email bypassing phishing text detection
07/08/2023 CONFIDENTIAL 13
� Use of Special Characters
Using special characters to bypass Phishing filters
07/08/2023 CONFIDENTIAL 14
� Detecting Attacks
07/08/2023 CONFIDENTIAL 15
� Recognising Social Engineering Attacks
• Be wary of unsolicited requests for sensitive information or financial details.
• Pay attention to email addresses, URLs, and the overall legitimacy of communication.
• Verify requests through independent channels (e.g., phone calls) rather than relying solely on emails.
• Implement multi-factor authentication for critical systems and services.
• Regularly educate employees about the latest social engineering techniques and tactics.
• If you are ever unsure, don’t be afraid to ask.
07/08/2023 CONFIDENTIAL 16
� Quiz
07/08/2023 CONFIDENTIAL 17
� Thank You
National Digital Payments Network Sdn Bhd
Level 5, Ministry of Finance and Economy Building
Commonwealth Drive BB3910
Brunei Darussalam
07/08/2023 CONFIDENTIAL 18
