Social engineering is a method of gaining access to systems, data, or buildingst hrough the exploitation of the human psychology.Social engineering involves a wide range of malicious activities, which are executed in various ways such as pretexting, phishing, quid pro quo, baiting, and tailgating among others Instead of using technical
techniques or breaking in, social engineering involves non-technical schemes that attackers employ.
For instance, an attacker may call a target or an employee and disguise as an IT support person instead of finding a software vulnerability in the target's company.
Social engineering scams are based on how people think and act. The attacker will then trick the target into giving his/her password. The primary objective of social engineers is to gain the trust of as many targets as possible in a certain company.
Phishing is considered as the most common type of social engineering, whicha ttackers use today. Phishing scams have distinct characteristics such as obtaining personal information, including names, social security numbers, and addresses of targets; incorporating fear, a sense of urgency, and threats to manipulate targets to act fast; and using embed links or link shorteners to redirect targets to suspicious websites through URLs that may appear authorized or legit.
Social engineers often use tailgating in small organizations or companies given
that most large companies require employees to swipe their identification cards.
However, in the case of small to mid-sized companies, attackers can easily
converse with employees to show the security a sense of familiarity, getting past
the latter as well as the front desk.
A known security consultant used tailgating to access into several floors of a building, including one that housed the data room of a financial firm.
The
consultant was able to access the building's third floor meeting room wherein he
worked for a few days in order to obtain information.
Clearly, social engineering attacks are far-flung and considered as an enormous
threat to various organizations. Social engineering can cost targets thousands, if
not, millions of dollars annually as it attacks people with access or knowledge to
an organization's sensitive information.
Today, most attackers leverage various
tactics and social networking schemes in order to obtain professional and
personal information of their targets. The people who are most susceptible to
social engineering attackers are the new employees, followed by contractors,
human resources, executive assistants, IT personnel, and business leaders.
Unfortunately, some organizations do not have an awareness and prevention
program to counter social engineering. In addition, there are organizations who
do not have security policies or employee training that prevent tactics of social
engineering.