Phishing vs. Social Engineering

gbuc40

Hello all,

I'm having difficulty understanding the exact difference. They both use manipulation to gain information, correct? For example, posing as an employee or someone of authority to gain sensitive data. Is phishing strictly using electronic means and SE by human interaction? Is that the difference?

Any help would be greatly appreciated.

Thank you,

G

ChooseLife

Phishing, as defined in Wiki, is "a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication."

Now, SE is a general term for any kind of exploitation of "human factor". While gaining sensitive information by impersonating someone is often mentioned as an example, there are many other variations of social engineering. The attacker carrying out SE may not necessarily need to impersonate anyone, nor would he necessarily obtain information as the result of successful SE attack. Successful attack in SE may mean, for example, that the target person takes a certain undesirable action (employee letting someone in without proper authorization), or - on the contrary - not taking the necessary action (security guard getting distracted and not logging an event).

Hope that makes it more clear.

gbuc40

Thanks for the reply.

So if I read that correctly, they are very similar except phishing uses electronic communication and SE does not.

If a person poses as an employee and uses that to get a password, then that is SE.

If a person poses as an employee for American Express and requests in an e-mail credit card info from an individual, that's phishing.

---edit---

Also, thank you for the additional SE examples.

ChooseLife

gbuc40 wrote: »

So if I read that correctly, they are very similar except phishing uses electronic communication and SE does not.

Not exactly. Phishing is a technique or a type of attack within the broader domain of social engineering. Generally, if it (1) impersonates a party, (2) aims at obtaining sensitive information, (3) is done electronically, than it is an SE technique known as phishing. Otherwise, it may be a different type of SE attack that may or may not have its own name. Phishing just happens to be a buzzword these days.

lordy

From my point of view there is another difference: the target.

In Phishing, for example, you just set up a website that looks like some bank and hope for anybody to enter their account details. It's like throwing a net out and hoping to make a catch, whatever it may be.

In Social Engineering however you have a specific target that you want to extract information from. For example, if you want to get the Domain-Admin password of company XYZ then you would try social engineering to get somebody in that company to give it to you.

Priston

From what I understand phishing can be one of many sub-catagories of Social Engineering. But when in comes to a testing scenario just listen to the study material your using.

Devilsbane

Social engineering is the broad category of an attack based on people. For example, asking a friend what there first best friend was might seem innocent, but then you can use that to use forgot password to hack their account.

A phishing attack is when a fake website (or email) tries to trick you into believe it is the real deal. For example, you get an email from what appears to be paypal saying that you need to verify your account or they will close it. In panic, you click on the link which takes you to a website that looks like paypal. You enter in your username and password and some other personal info, and the website saves that and then will redirect you over to paypal so you don't suspect a thing. At least until the people who put up the fake site start stealing your money.