Social Engineering
Social engineering is the use of psychological manipulation to trick people into divulging confidential information, granting access, or performing actions that compromise security.
Definition
Social engineering is the use of psychological manipulation to trick people into divulging confidential information, granting access, or performing actions that compromise security.
Overview
Unlike attacks that exploit technical vulnerabilities, social engineering exploits human trust, urgency, authority, and fear. Attackers research a target, craft a believable pretext, and manipulate a person — often an employee — into an action such as clicking a malicious link, revealing a password, or approving a fraudulent payment. Because it targets people rather than systems, social engineering can bypass even strong technical defenses. Common techniques include phishing (fraudulent emails or messages impersonating a trusted source), pretexting (fabricating a scenario to extract information, such as posing as IT support), baiting (leaving infected USB drives or offering fake downloads), and tailgating (physically following an authorized person into a secure area). Business email compromise, where an attacker impersonates an executive to authorize a wire transfer, is one of the costliest forms of social engineering seen by organizations. Because people are the weakest link in most security programs, awareness training, Multi-Factor Authentication (MFA) to blunt stolen credentials, verification procedures for sensitive requests, and a culture that encourages reporting suspicious contact are the primary defenses — themes explored in Governance, Compliance & Career Readiness.
Key Concepts
- Manipulates human psychology rather than exploiting technical flaws
- Common forms: phishing, pretexting, baiting, and tailgating
- Often the first step in a larger multi-stage attack
- Business email compromise (BEC) is a especially costly variant
- Effective even against organizations with strong technical controls
- Mitigated primarily through awareness training and verification procedures