Social Engineering – Part 2 | Computer-Based and Mobile-Based Attack Techniques (Plus Popular Tools)
Explore the most dangerous computer-based and mobile-based social engineering attacks like phishing, smishing, QR-code scams, and more. Learn the top tools hackers use and how SOC teams can defend against these evolving threats.
Table of Contents
- Quick‑Glance Overview
- Why Computer‑ and Mobile‑Based Social Engineering Matters
- Computer‑Based Social Engineering Techniques
- Mobile‑Based Social Engineering Techniques
- Real‑World Incident Spotlight
- Defensive Playbook for Computer and Mobile Attacks
- Takeaways
- Frequently Asked Questions (FAQs)
In Part 1 we covered the core ideas and human‑based tricks behind social engineering.
Today, we move to digital territory— how attackers use computers and phones to fool people at scale. You’ll learn the main attack types, see real‑world examples, and get a list of tools defenders (and testers) need to know.
Quick‑Glance Overview
| Category | Key Attacks | Typical Tools | Primary Targets |
|---|---|---|---|
| Computer‑Based | Email phishing, spear phishing, whaling, watering‑hole, malicious links, drive‑by downloads, QR‑code phishing | GoPhish, Social‑Engineer Toolkit (SET), Evilginx2, King Phisher, Zphisher | Office staff, executives, remote workers |
| Mobile‑Based | Smishing (SMS), malicious apps, fake OS updates, SIM swapping, mobile QR scams | SMS‑Spoofing Gateways, APKTool, MobSF, Caller‑ID spoof services | Everyday smartphone users, BYOD employees |
Why Computer‑ and Mobile‑Based Social Engineering Matters
-
Email and SMS remain the #1 initial access vector in data‑breach reports.
-
People check phones 150+ times a day—attackers know your guard is down on mobile.
-
Cloud tools mean one stolen password can unlock multiple applications.
Computer‑Based Social Engineering Techniques
Email Phishing (Spray‑and‑Pray)
Attackers send mass emails with fake invoices, shipping notices, or tax forms.
Goal: trick users into clicking a malicious link or opening a booby‑trapped attachment.
Spear Phishing
A targeted version of phishing. The email is personalized with names, job titles, or recent projects.
Example: An email to HR that references a real job posting and asks them to open a “candidate résumé” (malware).
Whaling
Spear phishing for senior executives (the “big fish”). Often requests wire transfers or confidential reports.
Watering‑Hole Attack
Hackers compromise a website frequently visited by the target group (e.g., an industry forum) and inject malicious code that triggers drive‑by downloads.
QR‑Code Phishing (Quishing)
Victims scan a QR code in a PDF or poster, believing it leads to Microsoft 365 login or an event page, but it redirects to a phishing site.
Malicious Links & Drive‑By Downloads
Hidden links in ads or pop‑ups auto‑download spyware when you visit the page with an outdated browser.
Popular Tools Used (Blue & Red Teams)
| Tool | Purpose | Typical Use Case |
|---|---|---|
| GoPhish | Open‑source phishing framework | Security‑awareness campaigns, red teaming |
| SET (Social‑Engineer Toolkit) | Generates spear‑phish emails, malicious web pages | Pen‑testing, demo attacks |
| Evilginx2 | Reverse‑proxy tool to steal session cookies (bypass MFA) | Advanced phishing kits |
| King Phisher | Simulates phishing for training | Measures click‑rate & credential theft |
| Zphisher | Quick phishing‑page generator | Proof of concept, learning labs |
Mobile‑Based Social Engineering Techniques
Smishing (SMS Phishing)
Fake texts from “delivery companies” or “banks” contain links to credential‑harvesting sites or malicious apps.
Malicious Mobile Apps
Attackers hide spyware or banking trojans inside seemingly harmless apps (flashlight, QR scanner, game mods).
Fake OS or Play‑Store Updates
Pop‑ups urge users to “install urgent security patch,” but the APK is malware.
SIM Swapping
Criminals trick or bribe telecom staff to port your phone number to a SIM they control, intercepting MFA codes.
Mobile QR‑Code Scams
QR codes on posters or emails redirect to fake wallet apps or payment pages.
Key Mobile Toolkits & Services
| Tool / Service | Use | Why It Matters |
|---|---|---|
| SMS Spoof Gateways | Send SMS with fake sender ID | Common in large smishing blasts |
| MobSF (Mobile Security Framework) | Analyze malicious APKs/IPA files | Blue‑team detection |
| APKTool | Reverse‑engineer Android apps | App auditing, malware research |
| Caller‑ID Spoof Services | Fake caller numbers for vishing | Impersonates banks/IT help desk |
Real‑World Incident Spotlight
Case (2025): A global logistics firm was hit by a spear‑phishing email crafted with info from LinkedIn.
-
Payload: Link to an Evilginx2 server that proxied the real Microsoft 365 login.
-
Outcome: MFA bypass via stolen session cookie → attacker accessed SharePoint, exfiltrated invoices → launched ransomware.
-
Lesson: Even MFA isn’t bulletproof without robust session‑management alerts.
Defensive Playbook for Computer and Mobile Attacks
| Defense Layer | Action Items |
|---|---|
| User Training | Phish‑simulation drills, QR‑scam awareness, “hover over link” habit |
| Email Security | SPF, DKIM, DMARC; attachment sandbox; link‑rewriting gateways |
| Endpoint Protection | Behaviour‑based anti‑malware, browser isolation, mobile EDR |
| MFA Hardening | Use number‑matching push or FIDO2 keys; monitor abnormal session tokens |
| Mobile Policy | Block sideloading, enforce app‑store vetting, disable SMS for password resets |
| Threat Intel | Subscribe to IOC feeds for popular phishing kits and smishing domains |
Takeaways
Computer‑ and mobile‑based social engineering scales globally—one phishing kit can hit millions in minutes.
But simple controls—email filtering, user awareness, MFA best practices, and mobile EDR—cut risk dramatically.
Up Next
In Part 3 of this series we’ll tackle Social Engineering Countermeasures—from technical safeguards to policy‑driven user education that actually sticks.
FAQs
What are computer-based social engineering attacks?
These are cyber attacks that rely on computer systems like emails or websites to deceive users into revealing sensitive information.
What is spear phishing?
Spear phishing is a targeted email attack that appears personalized to trick specific individuals into clicking malicious links or revealing credentials.
What is a watering-hole attack?
It’s when hackers compromise a trusted website that the target frequently visits and plant malicious code to infect users silently.
How does Evilginx2 work in phishing attacks?
Evilginx2 acts as a reverse proxy to capture session cookies during login, bypassing multi-factor authentication (MFA).
What is smishing in mobile-based attacks?
Smishing is SMS-based phishing where attackers send fake messages containing malicious links or prompts to install malware.
Can QR codes be used in phishing?
Yes, attackers embed malicious URLs in QR codes, tricking users into scanning and opening fake login or payment pages.
What is the Social Engineer Toolkit (SET)?
SET is a popular open-source framework used to create fake emails, web pages, and payloads for penetration testing and awareness training.
What is whaling in social engineering?
Whaling targets top-level executives with highly customized phishing emails to steal high-value information or initiate financial fraud.
How do attackers use fake mobile apps?
They disguise malware as legitimate apps like flashlights or games, which steal user data or access banking credentials.
What is a drive-by download attack?
It’s when a user’s system gets infected just by visiting a compromised website—no clicks required.
Which tools help simulate phishing campaigns?
Tools like GoPhish, King Phisher, and Zphisher are widely used by security teams to simulate and test phishing awareness.
What is a SIM swapping attack?
An attacker convinces a telecom provider to transfer a victim’s phone number to a SIM they control, intercepting OTPs and calls.
Can mobile QR code scams steal data?
Yes, scanning malicious QR codes can redirect users to credential-harvesting or malware-hosting pages.
What tools help analyze mobile malware?
MobSF, APKTool, and Frida are commonly used to analyze and reverse engineer malicious Android apps.
What is M365 Direct Send phishing?
This technique uses Microsoft 365’s Direct Send feature to deliver internal-looking phishing emails without account compromise.
Why is MFA sometimes bypassed in phishing?
Phishing kits like Evilginx2 can capture session tokens that allow access even after MFA has been completed.
What are red team phishing tools?
Red teams use tools like SET, GoPhish, Evilginx2, and Zphisher to simulate real-world phishing attacks for testing security readiness.
How can organizations prevent QR phishing?
By educating users, scanning QR code content before visiting it, and implementing browser isolation on mobile devices.
What is vishing in mobile social engineering?
Vishing uses phone calls to impersonate IT staff or banks, tricking users into revealing information or installing software.
What is Zphisher used for?
Zphisher is a quick-deploy phishing page generator used in labs and red-team testing scenarios.
How does caller ID spoofing assist attackers?
Attackers fake trusted numbers (like banks or companies) to make victims believe the call is legitimate.
Why are mobile users easy targets for phishing?
Mobile users are often distracted, have limited screen space, and are more likely to tap without inspecting links.
What should SOC teams monitor in mobile traffic?
They should watch for sideloaded apps, unusual SMS patterns, and mobile browser behavior to detect threats early.
What does GoPhish do?
GoPhish allows security teams to create and manage phishing campaigns to test employee resilience.
Can phishing be prevented entirely?
While not entirely preventable, strong awareness training, layered defenses, and updated security tools significantly reduce risk.
How do drive-by attacks work silently?
They exploit browser vulnerabilities that auto-execute malicious code upon page load.
What is the role of APKTool in cybersecurity?
APKTool is used to decompile Android APKs to inspect or modify app behavior, especially for malware analysis.
How are spoofed emails identified?
Email headers, SPF/DKIM/DMARC validation, and anomaly detection tools help identify spoofed senders.
Why do attackers use urgency in messages?
Creating panic increases the chance of victims acting quickly without verifying authenticity.
Is mobile EDR necessary in 2025?
Yes, with the rise of mobile threats, enterprise-grade endpoint detection and response (EDR) on phones is critical.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
