Social Engineering (AQA GCSE Computer Science): Revision Notes
Social engineering
What is social engineering?
Social engineering is one of the biggest cybersecurity threats because it targets the weakest link in any computer system - people! Instead of trying to hack through technical defences, criminals use social engineering to manipulate and trick people into giving away information or doing things they wouldn't normally do.
The key idea is that criminals exploit our natural tendency to trust others and want to be helpful. They create believable scenarios that make people feel they should cooperate, even when they're actually being tricked.
The psychological aspect of social engineering makes it particularly dangerous. Criminals study human behaviour and emotions to craft convincing scenarios that bypass our logical thinking and trigger emotional responses like fear, urgency, or the desire to help others.
Types of social engineering attacks
Blagging (pretexting)
Blagging, also called pretexting, is when a criminal creates a fake scenario to trick someone into giving away information or performing actions they shouldn't.
How blagging works:
- The criminal contacts the victim by phone or face-to-face
- They pretend to be from a trusted organisation like a bank, insurance company, or IT department
- They create an urgent or convincing reason why they need information
- They might claim to be a network administrator, police officer, or company employee
- The victim believes the story and provides sensitive information
Real-World Example: Bank Impersonation
A criminal calls someone claiming to be from their bank's fraud department. They say: "We've noticed suspicious activity on your account and need to verify your identity immediately to protect your money. Can you please confirm your full card number and the 3-digit security code on the back?"
The victim, worried about their account security, provides the information. The criminal now has everything needed to make fraudulent purchases or access the account.
Remember: Legitimate organisations will never ask for sensitive information like passwords, PINs, or full card numbers over the phone. Always hang up and call the organisation directly using their official number.
Phishing
Phishing is probably the most common type of social engineering attack you'll encounter. Criminals use fake emails, text messages (SMS), and websites that look genuine to steal your personal information.
How phishing works:
- Criminals send fake emails or texts that appear to be from legitimate companies
- These messages often claim there's a problem with your account that needs "urgent" attention
- They include links that take you to fake websites that look like the real thing
- When you enter your login details on these fake sites, the criminals capture them
- They can then use your real login details to access your actual accounts and steal money or identity
When phishing is done through SMS text messages, it's sometimes called smishing (SMS + phishing). The tactics are similar, but the delivery method is different.
Here's a real example of a phishing email that tries to look like it's from PayPal. Notice how it tries to create urgency by saying the account is "limited" and asks the victim to click a suspicious link.
Identifying Phishing Red Flags
Look at this suspicious email claiming to be from a bank:
- Generic greeting: "Dear Customer" instead of your actual name
- Urgent language: "Your account will be closed in 24 hours"
- Suspicious sender: The email comes from "bank-security@gmail.com" instead of an official bank domain
- Spelling errors: "Verifiy your account" instead of "Verify"
- Suspicious link: Hovering over the link shows it goes to a completely different website
These warning signs indicate this is a phishing attempt, not a legitimate communication.
Shouldering (shoulder surfing)
Shouldering or shoulder surfing is a simple but effective technique where criminals watch people enter their passwords, PINs, or other sensitive information.
How shouldering works:
- Criminals position themselves where they can see your screen or keypad
- They watch as you type in passwords, PINs, or other sensitive information
- This might happen at cash machines, in checkout queues, or even when you're using your laptop in public
- They can use recording equipment to capture what you're typing
- The information is then used to access your accounts later
This is why you'll often see asterisks (*) instead of the actual characters when you type a password - it helps protect against shoulder surfing by hiding what you're actually typing.
Preventing social engineering attacks
The most important defence against social engineering is education and awareness. Once you understand how these attacks work, you're much less likely to fall for them.
Here are the key steps to protect yourself:
Verify before you trust
Always maintaining a healthy scepticism is crucial when dealing with unexpected communications or requests for information.
- Always check that emails are genuinely from who they claim to be
- Look carefully at email addresses - criminals often use similar but not identical addresses
- Look out for spelling mistakes and poor grammar, which often indicate fake messages
- If in doubt, contact the organisation directly using a phone number or website you trust
Critical Rule: Never trust contact information provided in a suspicious message. Always use official contact details you've found independently from the organisation's verified website or official documentation.
Be cautious with links and downloads
Protecting yourself online requires careful consideration of every link you click and file you download.
- Never click on links in suspicious emails, especially if they claim to be urgent
- Instead of clicking email links, go directly to the company's official website
- Never download files from sources you don't completely trust
- Always verify that an email is legitimate by contacting the sender through another method
Protect your physical privacy
Social engineering isn't just digital - protecting yourself in physical spaces is equally important.
- Always cover your hand when entering PINs at cash machines or chip-and-PIN terminals
- Be aware of who might be watching when you're typing passwords in public
- Never give out your PIN over the phone, even if the caller claims to be from your bank
Consider your surroundings when entering sensitive information. Coffee shops, airports, and other public spaces are common locations for shoulder surfing attacks.
Stay alert to urgency tactics
Criminals often try to pressure victims into making quick decisions before they have time to think clearly.
- Be suspicious of any message that demands immediate action
- Legitimate organisations rarely require urgent responses to avoid account closure
- Take time to think before responding to unexpected requests for information
Warning: Urgency is a red flag. Legitimate organisations understand that security takes time and will never pressure you to provide sensitive information immediately. When in doubt, take a step back and verify independently.
Key Points to Remember:
-
Social engineering targets people, not technology - criminals exploit trust and helpfulness to bypass security systems
-
The three main types are blagging (pretexting), phishing, and shouldering - each uses different methods but all aim to steal information
-
Education and awareness are your best defences - understanding these attacks makes you much less likely to fall victim
-
Always verify before you trust - check email addresses, contact organisations directly, and be suspicious of urgent requests
-
Protect your privacy both online and offline - cover your PIN when typing and be aware of who might be watching your screen