Social Engineering

Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.

Social engineering is a popular tactic among hackers because it is often easier to exploit users' weaknesses than it is to find a network or software vulnerability. Hackers will often use social engineering tactics as a first step in a larger campaign to infiltrate a system or network and steal sensitive data or disperse malware.

How social engineering works

Social engineers use a wide variety of tactics to perform attacks.

From there, the hacker can design an attack based on the information collected and exploit the weakness uncovered during the reconnaissance phase.

If the attack is successful, hackers have access to sensitive data -- such as credit card or banking information -- have made money off the targets or have gained access to protected systems or networks.

Types of social engineering attacks

Popular types of social engineering attacks include:

• Baiting: Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware.
• Phishing: Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
• Spear phishing: Spear phishing is like phishing but tailored for a specific individual or organization.
• Vishing: Vishing is also known as voice phishing, and it's the use of social engineering over the phone to gather personal and financial information from the target.
• Pretexting: Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
• Scareware: Scareware involves tricking the victim into thinking his computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker's malware.
• Water-holing: A watering hole attack is when the attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust in order to gain network access.
• Diversion theft: In this type of attack, the social engineers trick a delivery or courier company into going to the wrong pickup or drop-off location, thus intercepting the transaction.
• Quid pro quo: A quid pro quo attack is one in which the social engineer pretends to provide something in exchange for the target's information or assistance. For instance, a hacker calls a selection of random numbers within an organization and pretends to be calling back from tech support. Eventually, the hacker will find someone with a legitimate tech issue who they will then pretend to help. Through this, the hacker can have the target type in the commands to launch malware or can collect password information.
• Honey trap: An attack in which the social engineer pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.
• Tailgating: Tailgating, sometimes called piggybacking, is when a hacker walks into a secured building by following someone with an authorized access card. This attack presumes the person with legitimate access to the building is courteous enough to hold the door open for the person behind them, assuming they are allowed to be there.
• Rogue: Rogue security software is a type of malware that tricks targets into paying for the fake removal of malware.

PREVIOUS                                                                                                 NEXT