What is social engineering? Definition, types, attack techniques
Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
Table of contents
- What is social engineering?
- Types of social engineering techniques and methods
- 10 top best practices to detect and prevent social engineering attacks in 2022
Social engineering is the very common practice of exploiting a human element to initiate and/or execute a cyberattack.
Human weakness and ignorance present such easy targets that fully 82% of the attacks in Verizon’s 2022 Data Breach Investigations Report were perpetrated, at least in part, via some form of social engineering.
In this article, we look at the forms of social engineering that are frequently used and best practices for limiting its effectiveness within the enterprise.
What is social engineering?
A dictionary definition of social engineering (in the context of cybersecurity) is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
Event
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
Register Now
At the most basic, this includes the mass-market spamming of individual email accounts with a phishing attempt such as an offer for a free gift certificate from a well-known retailer. Consumers who click a link to a malicious website or open an infected file attachment and enter personal information may open themselves up to criminal exploitation.
For higher-value, enterprise targets, the technique can become quite a bit more elaborate — or remain stunningly simple.
Roger Grimes, data-driven defense evangelist at security awareness training vendor KnowBe4, calls it for what it is: a con, a scam. “It’s someone pretending to be a brand, company or person you would … trust more than if you know the message was being sent by a complete stranger trying to trick you into doing something that will impact you or your organization’s own interests,” he explained. “The desired actions are often to launch a malicious program, provide logon passwords, or to provide confidential content (e.g., social security number, banking information, etc.).”
The criminal uses psychological manipulation to trick the user into performing actions or divulging confidential information. Seven means of persuasive appeal, as outlined by Robert Cialini in Influence: The Psychology of Persuasion, are commonly cited in explaining why people are vulnerable to their application in social engineering:
- Reciprocity
- Scarcity
- Authority
- Liking
- Commitment
- Consensus
- Unity
Many social engineering attempts come via email, but that is not the only channel. Social engineering is also accomplished via SMS messages, websites, social media, phone calls or even in person.
As Manos Gavriil, head of content at hacking training firm Hack The Box, points out, “Social engineering is considered the number one threat in cybersecurity, as it exploits individual human error, which makes it very hard to stop, and even the simplest forms of attack can have a devastating impact.”
Types of social engineering techniques and methods
Social engineering is accomplished in a variety of ways:
- Pretexting: This involves the false presentation of identity or context to make a target believe they should share sensitive data or take a compromising action, and it is an element in most social engineering.
- Baiting: The adversary usually offers a fake promise of something to deceive the victim, steal sensitive information or infect the organization with malware.
- Phishing: The attacker sends out large volumes of emails, without a specific target in mind, in the hope that a malicious link or attachment will be clicked to give the attacker access to sensitive information.
- Spear phishing: Masq
Be the first to write a comment.
