Social engineering is the practice of tricking people into taking actions or revealing information that they would not otherwise take or provide. In this type of attack, the perpetrators exploit human traits such as trust, helpfulness, or fear in order to manipulate people.
The perpetrators are after account data, login information, and personal or business information to use for further attacks. They pose as a government agency, a person of authority, or a trustworthy brand. They create fear and pressure to act, or appeal to people’s greed and curiosity.
For example, a person may call employees of companies and pretend to be a system administrator to obtaining login data or ensure that the employee accesses a prepared website. The attackers often act in a very coordinated manner when using this method. They use social media to collect information about employees and their preferences to establish a personal relationship with the victim during the conversation, use technical jargon or threaten to contact a superior if the victim objects during the conversation.
Phishing e-mails are also frequently used to manipulate the recipients. These e-mails are designed to appear as if they come from a trustworthy source or person. Sometimes, they even seem to come from someone the recipient knows personally, such as their supervisor.
Another form of social engineering is baiting. The victim is lured with bait to disclose confidential information. One example is a scam in which a lawyer needs account information to settle the estate of a deceased wealthy person. Other examples include malware-infected games or software downloads, or intentionally distributiing of malware-infected removable storage devices such as USB sticks.
Then there is scareware, which is designed to scare the victim with fake notices from lawyers or law enforcement authorities. Another form of social engineering is tailgating, where an unauthorized person follows another person to gain access to areas that would otherwise not be accessible. A digital examplewould be using an unattended but still logged-on computer.
