Social engineering is the act of manipulating people into performing actions or divulging confidential information. Social engineers often use psychological techniques to exploit people's natural tendencies to trust others. According to the Verizon 2017 Data Breach Investigations Report, 23% of data breaches were caused by social engineering.
The first recorded use of the term "social engineering" was in 1876 by French engineer and sociologist Émile Durkheim. Durkheim used the term to describe the process of change and transformation that accompanied the development of Western societies and their individual cultures. Social engineering has since been used to describe a wide range of activities and techniques used to influence, manipulate, or control the behavior of individuals or groups of people.
The most common type of social engineering attack is a phishing attack. In a phishing attack,
Social engineering techniques
There are many techniques that can be used in social engineering, but some of the most common ones are:
Phishing. Phishing is a technique that involves sending fraudulent emails in order to steal personal information from the recipient. The social engineer sends an email or text message that appears to be from a trusted source, such as a bank or credit card company. The message asks the recipient to click on a link or provide login information. When the recipient clicks on the link or provides the login information, the social engineer can access the recipient's account. Phishers often use fake emails that appear to be from legitimate organizations, such as banks or credit card companies. They may also create websites that look like the real thing, in order to trick users into entering their personal information.
Baiting. Baiting is a technique that involves leaving infected USB drives or other devices in public places in order to infect the computers of unsuspecting users. The user will usually plug the USB drive into their computer in order to view the contents, at which point the malware will be installed.
Tailgating. Tailgating is a technique that involves following someone into a building without being authorized to do so. The attacker will usually wait until the victim has swiped their card or entered their PIN before following them in.
Doxing. Doxing is a technique that involves obtaining personal information about someone online and publishing it publicly. The information can be anything from their name and address to their social media profiles and bank account details.
Pretexting is a type of social engineering attack that involves creating a fake story or persona in order to get the victim to trust you. The goal of a pretexting attack is to get the victim to share confidential information or login credentials with you.
Quid pro quo. Quid pro quo is a type of social engineering attack that involves offering something in exchange for confidential information. The goal of a quid pro quo attack is to get the victim to share sensitive information with you in order to get something in return.
Scareware: Scareware is a type of social engineering attack that involves installing malware on a victim's computer that displays fake security alerts. The goal of a scareware attack is to scare the victim into paying for fake security software that will supposedly protect them from the malware.
Trojan horse: A Trojan horse is a type of social engineering attack that involves installing malware on a victim's computer that looks like a legitimate program. The goal of a Trojan horse attack is to get the victim to install the malware on their computer, which can then be used to steal their data or take control of their computer.
How to prevent social engineering attacks
There is no one silver bullet for preventing social engineering attacks, but there are a number of measures that organizations can take to reduce their risk. Some of the key steps that organizations can take to protect themselves from social engineering attacks include:
Educate employees about the dangers of social engineering attacks and how to spot them.
Use strong passwords and change them regularly.
Install anti-virus software and keep it up to date.
Install a firewall and keep it up to date.
Keep software up to date.
Restrict access to sensitive data to only those who need it.
Use two-factor authentication.
Regularly audit systems for vulnerabilities.
Train employees in security awareness.
Implement a security awareness program.