Social Engineering
Psychological manipulation techniques used by attackers to deceive people into revealing confidential information, granting access, or performing actions that compromise security.
Social engineering exploits human psychology rather than technical vulnerabilities. Instead of hacking a system, attackers hack people — using trust, urgency, fear, or authority to trick victims into handing over passwords, transferring money, or granting system access. It is the basis of most successful cyberattacks.
Common Social Engineering Tactics
- Phishing — fraudulent emails or messages impersonating trusted entities
- Pretexting — creating a fabricated scenario ("I'm from IT support, I need your password to fix an issue")
- Baiting — leaving infected USB drives in car parks or offices hoping someone plugs them in
- Tailgating — following an authorised person through a secure door without badge access
- Quid pro quo — offering something (free software, tech support) in exchange for information
Macau Scams and Love Scams
Malaysia has seen a surge in social engineering scams including "Macau scams" (impersonating police/bank officials to pressure victims into transferring money) and romance scams on dating platforms. These rely entirely on psychological manipulation. Always verify identities through official channels before taking action.
Building a Human Firewall
- Conduct regular security awareness training for all staff — not just IT
- Establish verification procedures for sensitive requests (e.g., callback verification for fund transfers)
- Create a culture where questioning unusual requests is encouraged, not punished
- Run simulated phishing exercises to test and reinforce awareness
- Teach the "pause and verify" habit: stop, think, and confirm before acting on urgent requests