Social engineering refers to a variety of tactics that can be used to trick people into becoming a victim of cybercrime, for example, by opening a malicious attachment, clicking on an unsafe link or sending money or personal information to an attacker.
In carrying out cyber attacks, social engineering approaches are becoming very popular because they typically use a mixture of psychology, deception and manipulation to exploit characteristics of human nature to gain an advantage in the digital world. What’s powerful about social engineering is that it can allow threat actors to bypass security measures and tools that an individual or organisation has put in place. In addition, carrying out social engineering attacks do not (typically) require attackers to use expensive or complex tools and technology.
There are various ways that attackers can carry out social engineering schemes. Often, attackers would investigate the background of their victim in order to attempt to locate weak points or vulnerabilities that they can leverage. They can scour for valuable information through a would-be victim’s online or social networks information – information they can then use against the intended victim.
By using a person’s deep emotion such as fear, need and empathy, the attacker will try to influence the victim to act on their behalf or divulge sensitive information.
Some of the most familiar cyber attacks that use social engineering techniques include phishing, baiting, tailgating and many more.
Social engineering is increasingly being used by cybercriminals as a way to effectively infiltrate organisations, targeting their employees and tricking them into giving information and credentials which are then used to penetrate a company’s network, IT infrastructure and sometimes, even physical buildings.
An example of a social engineering attack lifecycle (credit to: https://www.imperva.com/learn/application-security/social-engineering-attack/)