Social engineering refers to a broad range of malicious methods of tricking, manipulating and exploiting people into performing actions or divulging sensitive information they otherwise wouldn’t.
Rather than breaking into a system through the use of a technical flaw, a social engineer would use techniques such as phishing or spear-phishing to lure their target into completing their desired action.
Social engineering attacks can be both targeted towards a specific individual, as well as generic. Of course, the approach an attacker would take would depend on the motive behind the attack. For example, if an attacker is after harvesting large amounts of credentials to either re-sell or commit fraud, they’d probably choose a method like phishing which can be scaled-out. If, on the other hand, the attacker is interested in breaching the defenses of a specific organization, they might choose to spear-phish their victims or call them, impersonating an authoritative figure.
In a targeted attack, a social engineer would typically start with a reconnaissance phase. During this phase they would attempt to learn as much as possible about their target in order to come across as legitimate.
In a targeted attack, a social engineer may attempt to gain the victim’s trust and trick the user into breaking security practices, such as divulging sensitive information or granting access to sensitive resources. This practice is usually referred to as pretexting and is often differs from phishing in that phishing usually urges a target to make a decision quickly and without much thought.
A typical example of phishing, one type of social engineering attack, would involve an attacker simply “asking” the target for their password by posing as a trustworthy person, say someone from the IT help-desk, who could direct the victim to a fake login page that captures their credentials, as opposed to trying to guess a password to a user’s account. Provided that the social engineer sounds convincing enough, there is a good chance the target will unknowingly enter their password into the fake form.
While a vast array of social engineering techniques exist – from , email phishing is by far the most common type of social engineering, specifically because it gives social engineers good results, and is easy to replicate and scale. While advanced, targeted attacks may require varying degrees of technical knowledge, the vast majority of attacks are as simple as tricking victims into handing over their credentials. The obtained credentials may then be used for the purpose of information gathering, or as part of a larger, more advanced attack involving Business Email Compromise (BEC), also known as CEO fraud, stealing trade secrets or other financial crime.