ISMS and Social Engineering

The human element is a key driver of 82% of information and IP breaches.  This emphasizes the importance of having a strong security awareness program.

Social engineering is used for a range of malicious activities through human interactions. It uses psychological manipulation to trick users into giving away sensitive information.

Social engineering attacks happen occur in one or more steps.  The perpetrator learns about the victim to gather background information, such as points of entry and weak security protocols. The attacker moves to gain the victim’s trust and provide positive reinforcement for further actions that break security.

The types of Social Engineering are:

  • Baiting
  • Phishing
  • Spear phishing
  • Scareware
  • Pretexting


These attacks use a false promise to entice a victim’s greed or curiosity. They lure the victim into a trap to steal personal information then inflicts their systems with malware.


These scams are email and text messages aimed at creating a sense of urgency, curiosity or fear. It then moves them into revealing sensitive information, clicking on links to malicious websites, or opening attachments containing malware.

Spear phishing

This is a more targeted version of the phishing scam. The attacker chooses specific individuals. They tailor the messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.


Scareware involves bombarding the victim with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit or is malware itself.


The attacker starts by developing trust with the victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that required to confirmation of the victim’s identity, where they gather important personal data.