In conventional social engineering, the attacker pretends to be a user who needs help. In Reverse Social Engineering, the attacker creates a persona of authority — a technician or IT admin — so that employees approach the attacker asking for assistance, voluntarily providing sensitive information.
Social Engineering vs Reverse Social Engineering
| Approach | Attacker Role | Information Flow |
|---|---|---|
| Social Engineering | Pretends to be a user who lost access | Attacker asks → Employee provides |
| Reverse Social Engineering | Pretends to be IT support / authority figure | Employee asks → Attacker receives |
The Three-Step Attack Cycle
- Sabotage: Attacker corrupts a workstation, creating a problem that requires help.
- Marketing: Attacker leaves business cards or embeds their contact number in the error message, ensuring the victim calls them.
- Support: Attacker “solves” the problem through conversation, drawing out required information while the victim remains unsuspicious.
Prevention Guidance
- Education is the single most effective defence.
- Users should never provide account information without explicit supervisor authorisation.
- Establish official IT support channels — all support contacts must go through them.
- All employees should be included in security awareness training.
- Suspicious behaviour should always be reported, regardless of how authoritative the person seems.
CISSP Made Easy 