In human-based social engineering attacks, the social engineer interacts directly with the target to get information.

An example of this type of attack would be where the attacker calls the database administrator asking to reset the password for the targets account from a remote location by gathering the user information from any remote social networking site of the XYZ company.

Human-based social engineering can be categorized as follows:

• Piggybacking: In this type of attack the attacker takes advantage by tricking authorized personnel to get inside a restricted area of the targeted company, such as the server room. For example, attacker X enters the ABC company as a candidate for an interview but later enters a restricted area by tricking an authorized person, claiming that he is a new employee of the company and so doesn’t have an employee ID, and using the targets ID card.
• Impersonating: In this type of attack, a social engineer pretends to be a valid employee of the organization and gains physical access. This can be perfectly carried out in the real world by wearing a suit or duplicate ID for the company. Once inside the premises, the social engineer can gain valuable information from a desktop computer.

• Eavesdropping: This is the unauthorized listening to of communication between two people or the reading of private messages. It can be performed using communication channels such as telephone lines and e-mails.
• Reverse social engineering: This is when the attacker creates a persona that appears to be in a position of authority. In such a situation, the target will ask for the information that they want. Reverse engineering attacks usually occur in areas of marketing and technical support.
• Dumpster diving: Dumpster diving involves looking in the trash can for information written on pieces of paper or computer printouts. The hacker can often find passwords, filenames, or other pieces of confidential information in trash cans.
• Posing as a legitimate end user: In this type of attack, the social engineer assumes the identity of a legitimate user and tries to get the information, for example, calling the help desk and saying, “Hi, I am Mary from the X department. I do not remember my account password; can you help me out?”

Next tutorials, I will discuss about “Computer-based social engineering”

Thanks