TL;DR
Social engineering attacks target people instead of systems. Attackers use psychological manipulation to trick victims into revealing information, granting access, or taking harmful actions. Techniques include phishing, pretexting, and impersonation. Defense requires security awareness training, verification procedures, and a culture where questioning unusual requests is encouraged.
The Simple Explanation
Why hack a computer when you can trick a human? Social engineering bypasses technical security by exploiting trust, helpfulness, fear, and urgency. An attacker might call pretending to be IT support, send an email posing as the CEO, or simply follow an employee through a secure door. People are often the weakest link.
Common Techniques
| Technique | Method | Example |
|---|---|---|
| Phishing | Deceptive emails | Fake password reset |
| Pretexting | Fabricated scenario | "I'm from IT auditing" |
| Vishing | Phone calls | Fake tech support |
| Baiting | Enticing offer | Infected USB drive |
| Tailgating | Physical access | Following through doors |
| Impersonation | Pretending to be someone | Fake vendor or employee |
Psychology Exploited
- Authority: People comply with perceived authority figures
- Urgency: Time pressure prevents careful thinking
- Trust: We want to help people who seem legitimate
- Fear: Threats cause panic and poor decisions
- Reciprocity: We feel obligated to return favors
- Social proof: If others do it, it must be okay
Attacker calls: "Hi, this is Mike from IT. We're seeing some unusual login attempts on your account. I need to verify your identity to protect your account. Can you confirm your password?"
The urgency (unusual attempts) and authority (IT department) pressure the victim to comply without questioning why IT would ask for a password.
Attackers do their homework. They research targets on LinkedIn, company websites, and social media. They know names, titles, projects, and relationships. This makes their pretexts convincing.
Defense Strategies
- Training: Regular security awareness education
- Verification: Callback procedures for sensitive requests
- Culture: Make it safe to question and verify
- Policies: Clear procedures for sensitive actions
- Testing: Simulated social engineering attempts
- Reporting: Easy way to flag suspicious contacts
Why is social engineering effective?
Social engineering exploits human psychology: trust, helpfulness, fear of authority, and urgency. Technical defenses cannot block someone from choosing to help an attacker. People want to be helpful and often do not question requests that seem legitimate. Attackers exploit these natural tendencies.
What are common social engineering techniques?
Pretexting (creating a fake scenario), phishing (deceptive emails), vishing (phone calls), baiting (offering something enticing), tailgating (following authorized people through doors), and impersonation (pretending to be IT, executives, or vendors). These often combine for greater effect.
How do I protect against social engineering?
Security awareness training that includes realistic examples, verification procedures for sensitive requests (call back on known numbers, not provided ones), policies that make it safe to question unusual requests, and multiple approval requirements for high-risk actions like wire transfers.