This short module opens with a video of a social engineering professional showing off her skills, then moving on to some psychological principles and tactics underlying social engineering approaches. Next, it includes a brief activity asking students to a consider how a social engineer might get their credit card number. Finally, it opens into a discussion about how likely it is these techniques would work on the class, and mitigation strategies.

Note: This section builds on many of the open source intelligence techniques examined in the Targeted harassment and doxxing module.

Prerequisites

Threat modeling
(Good to know) Targeted harassment and doxxing

Estimated time

35-40 minutes

Objectives

Upon successful completion of this lesson, students will be able to identify key social engineering tactics, as well as mitigation techniques.

Why this matters

Many attacks require little or no technical knowledge, and can be conducted by simply talking to people. Beginning journalists should understand that there are malevolent actors out there who will pretend to be someone they're not (whether a friend, or an authority), in order to take advantage of access they or their newsroom may have.

Homework

(Before class) Listen to this episode of the "Darknet Diaries" podcast, about stories from a social engineering professional: "Alethe"

Sample slides

Social engineering (Google Slides)

Activities

  • Watch this short video from CNN with Rachel Tobac, a social engineering professional: Watch a CNN reporter get hacked
  • Have students think through how they might be able to social engineer their way into their own university transcripts.
  • Have students identify the possible psychological principles in play in two separate videos featuring social engineering attacks. (Video 1; Video 2)

Questions for discussion

  • If Rachel tried to do this to you, would it have worked? What steps could you have taken to prevent this attack?

    Note: This question is intended to get students to consider how their personal data can be used in such attacks.
  • What kind of data is publicly available about yourself that could make Rachel's job easier?
  • How would you realistically make this harder for her?