Social Engineering

Social engineering is a way to attack computer software, systems, and information through manipulating employees, third parties, and other people and groups. Social engineering attempts to convince unwitting victims to provide authorized access to hackers through the use of trickery and scams.

Terms related to Social Engineering: Phishing, Spear Phishing, Whaling, Attack Vector, Login.

Social engineering works by convincing people that a bad actor is really a legitimate, trusted source. That bad actor then convinces the victim to do something that will grant access or otherwise compromise systems and data. This type of attack is popular because it is often easier to trick users than it is to overcome the technical defences against cyberattacks.

Social engineering typically works as follows:

  1. An attacker will find a target — an individual or a group of people who they want to use social engineering on.
  2. They will perform research on the target to identify potential ways to trick them — this could include finding out who their colleagues are, organizational structures, and the types of communications that are most likely to be acted on.
  3. The attackers will then design social engineering methods that are able to exploit the target’s weaknesses. Examples might include spoofed emails, SMS messaging, or even in-person interactions.
  4. The target then “takes the bait,” providing access to the attacker who can then exploit technology further.

Common social engineering attacks include:

  • Phishing — convincing targets to enter login or other sensitive information into fake websites.
  • Malware — getting targets to inadvertently open or install malware on their computers or systems.
  • Tailgating — following someone into a secure location without providing a secure access code or card.

Multifactor authentication can be a very good way to reduce the risk and severity of social engineering attacks.

Social Engineering Resources from Crossmatch