Social Engineering

Social engineering is the act of exploiting human weaknesses to gain access to personal information and protected systems. Social engineering relies on manipulating individuals rather than hacking computer systems to penetrate a target’s account.

For example, a woman might call a male victim’s bank and pretend to be his wife claiming an emergency and requesting access to his account. If the woman can successfully socially engineer the bank's customer service representative by appealing to the representative's empathetic tendency, she may succeed in obtaining access to the man’s account and be able to steal his money. Similarly, an attacker might contact an email provider’s customer service department to obtain a password reset that makes it possible for the attacker to control a target’s email account rather than hacking into that account.

Social engineering refers to the manipulation of a target so that they give up key information. In addition to stealing an individual’s identity or compromising a credit card or bank account, social engineering can be applied to obtain a company’s trade secrets or exploit national security.

Social engineering is difficult for potential targets to prevent. Precautions such as the use of strong passwords and two-factor authentication for accounts are used, but accounts can still be compromised by third parties with access to their accounts, such as bank employees. However, individuals can decrease their risk by avoiding giving out confidential information, being cautious when sharing information on social media, not repeating passwords, using two-factor authentication, using fake or difficult-to-guess answers to account security questions, and keeping a close eye on accounts, particularly financial accounts.

Attackers often use surprisingly simple tactics in social engineering schemes, such as asking people for help. Another tactic is to exploit disaster victims by asking them to provide personally identifiable information such as maiden names, addresses, dates of birth and social security numbers for missing or deceased loved ones—information that can later be used for identity theft.

Posing as a tech support professional or a delivery person are easy ways to gain unauthorized access to an account as is sending an apparently legitimate email with a malicious attachment. Such emails are often sent to a work email address where people are less likely to be suspicious of an unknown sender.

Emails can be disguised to appear as though they have originated from a known sender when they are actually sent by a hacker. More elaborate tactics that are targeted to specific people might involve learning about their interests and then sending the target a link related to that interest. The link can contain malicious code that can steal personal information from their computers. Popular social engineering techniques include phishing, cat fishing, tailgating, and baiting.