What is social engineering?

Social engineering can be defined as a form of psychological manipulation that persuades a person into giving up confidential information. It is a form of a cyberattack that uses trickery and deception instead of using any type of software exploit. Of course, software is involved in building a social engineering attack, but the main component is how well you deceive the target into believing what you are doing is legitimate.

Software and humans are really not that different from each other. You may be wondering how humans and software can be so similar. Well, when it comes to vulnerabilities in both software and humans, these can be exploited and taken advantage of by attackers to get what they want. In relation to software, it's related to buggy code that is generally exploited, which leads to flaws in software that an attacker can compromise.

With humans, it is our nature that makes it easy for people to target others using psychological manipulation. Humans have a variety of emotions that separate us from other living creatures. However, some of those emotions are prime targets for social engineering attacks. For example, we have the following emotional traits:

• Helping others
• Trusting others
• Fear 
• Obedience to authority

Social engineering attacks take advantage of the vulnerabilities of our emotions, and persuade us into performing an activity such as clicking a fraudulent link, visiting a malicious website, or opening a malicious document.

Most organizations invest a lot of effort into training employees about social engineering, but sadly, some do not. Irrespective of security controls that are put in place, end users will ultimately have access to sensitive information that can cause harm to an organization if it fell into the wrong hands. Curiosity will cause a person to pick up that USB lying on the floor and plug it in to see what is on it. Dropping infected USB sticks around a target organization is a common penetration testing technique, and it is also used by attackers.

Social engineering comes in many forms, so let's explore some of them.