social engineering

This definition is part of our Essential Guide: How to hone an effective vulnerability management program
Contributor(s): Madelyn Bacon

Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. 

A social engineer runs what used to be called a "con game." Techniques such as appeal to vanity, appeal to authority and appeal to greed are often used in social engineering attacks. Many social engineering exploits simply rely on people's willingness to be helpful. For example, the attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources.

 Popular types of social engineering attacks include:

  • Baiting: Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive in a place it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware.
  • Phishing: Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
  • Spear phishing: Spear phishing is like phishing, but tailored for a specific individual or organization.
  • Pretexting: Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
  • Scareware: Scareware involves tricking the victim into thinking his computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker's malware.

Security experts recommend that IT departments regularly carry out penetration tests that use social engineering techniques. This will help administrators learn which types of users pose the most risk for specific types of attacks while also identifying which employees require additional training. Security awareness training can go a long way towards preventing social engineering attacks. If people know what forms social engineering attacks are likely to take, they will be less likely to become victims. 

This was last updated in February 2016 ???publishDate.suggestedBy???

Continue Reading About social engineering



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I work with a lot of different businesses across many and the only somewhat successful thing I have witnessed any organization use to combat social engineering is periodic testing and ongoing awareness. Though not perfect in any sense, they're still better than doing nothing...which is what the majority of organizations do.

You have to be careful, especially with social engineering. You create your own circumstances in security by the choices you make.It's the law of sowing and reaping: both actions and inactions will get you results.

I recently wrote a piece for that has more information on phishing and how to combat the problem.
I educate my staff about the commonly used social engineering tactics and keep them abreast of ongoing scams. So far, we have had no incidents, even though we have had a couple of attempts on our admissions staff. Over the three years since I have been doing this, We have had three near-misses that were reported to me immediately and nipped. I don't do testing or any other inspection before the fact. My staff have proven that they are aware enough to inform me of anything that seems suspicious.
We Rule with an iron fist, no human interaction at all, the only way to prevent it.
Seems to me you really need to have drills once in a while -- have a guy call in from an outside line and say he's with the ISP and he just needs them to help him out for a minute, or whatever, try the standard social engineering tricks and see what you hit on. 
What does your organization do to combat malicious social engineering?
You have to be careful, especially with social engineering.
We are a huge organization and we are having security issues within the business, losing customer data, fraud, breaches of security and a general overload of roles within teams. We need to reduce the amount of roles. I'm hoping for some advice on what the possible implications to this could be.
All, it is all about educating your staff. Social engineering is heavily underestimated and possibly the biggest security issue any company may have.
There are education programs for staff or even better there are platforms like PhishLine has a great tool that delivered attack simulation across all social-engineering vectors and provides the data and robust reporting focused mostly on enterprise customers, Governmental organizations and Financial Institutions. But also for the high-end SMB market who are facing the same issues. It is all about education and control. 
Puts posters with examples and warnings. Runs lunch-and-learn meetings now and then. Sends email reminders.
It'd be cool if they also fake one of those phishing emails and later announce "winners" who clicked or provided some data :)
There's also "vishing", from "voice phishing", when one receives a call or voice mail prompting for certain actions. Quite recently I received a voice mail from "revenue agency" that my bank account has been locked, and I have to email my last year's tax assessment ASAP. The trick is - that document has tons of personal information that can be used for further attacks or identity theft.


File Extensions and File Formats

Powered by: