What Is Social Engineering?

Social engineering is the process of manipulating people to reveal sensitive information or compromise confidential data inadvertently. Social engineering uses human nature to reach the desired outcome.

How Social Engineering Is Accomplished

Social engineering techniques can be carried out through technological means or through human interaction. The manipulation of human vulnerabilities is, in essence, human hacking. Hackers who apply social engineering techniques are known as social engineers. Social engineers gather information about an individual and use this knowledge to exploit human nature. With the information gathered, social engineers create a trust bond with the target by using a false pretense such as trusted entities, like banks or the IRS, or as trusted people, like the cable man or IT personnel. Once trust is established, the attack begins.

Types of Social Engineering Attacks

• Phishing—Phishing is the most well known social engineering technique. Phishing is the process of tricking a target into performing the desired action, typically through email, text, or social media. The social engineer designs a package that appears to be from a trusted, legitimate sender and encourages the receiver to perform an action like clicking on an embedded link. Phishing scams typically rely on urgency, a sense of fear, or curiosity to achieve the desired outcome.

• Spear phishing—Spear phishing is a type of phishing attack where a specific person or group of people is targeted. Spear phishing campaigns are more customized than traditional phishing attacks and rely on a previously set trust relationship with the target for exploitation.

• Impersonation—Impersonation is where a social engineer pretends to be a trusted individual to garner information. Social engineers can pretend to be a business associate, a trusted worker like maintenance personnel, or any other person who automatically instills a feeling of trust in the victim.

• Shoulder surfing—Shoulder surfing is a technique used to garner information by attempting to view a target’s device without the target realizing it. For example, a shoulder surfer may be standing behind the victim in a line or may be sitting at an adjacent desk.

• Tailgating—Tailgating occurs when a social engineer attempts to physically follow a target into a secure place. A shoulder surfer may use techniques such as carrying a large box and asking for the target to hold the door for them or may pretend to be a fellow employee who has misplaced their access card.

• Dumpster diving—Dumpster diving is the process of going through the trash of a target to gather information. The social engineer will look through dumpsters or trash cans in an attempt to find sensitive information or useful documents which have been thrown away.

Social engineering is the most successful form of cyber attack. The key to managing social engineering attacks is continued user education and training as well as human vigilance. To learn more about social engineering and other security concerns, or to test your knowledge, check out our CompTIA A+ 1002 Security practice tests, study guides, and flashcards.