Social Engineering

What it is: A class of non-technical attack vectors that rely heavily on human interaction and psychological manipulation to deceive individuals into performing actions that compromise security. These actions can include divulging sensitive information, granting unauthorized access, transferring funds, or installing malware. It exploits inherent human traits like trust, helpfulness, fear, and urgency.

How it works: Attackers employ various psychological principles and tactics. Pretexting involves creating a fabricated scenario or identity to gain the victim’s trust. Phishing, as previously discussed, uses deceptive communications to lure victims. Baiting involves offering something enticing (e.g., a USB drive with malware) to trigger a desired action. Quid pro quo offers a benefit in exchange for information or access. Tailgating (physical) or piggybacking exploits physical access controls by following an authorized person. Impersonation involves pretending to be a legitimate authority figure. Effective social engineering often involves reconnaissance to gather information about the target and tailor the attack for maximum impact.

Example with key data: The 2016 hack of John Podesta, chairman of Hillary Clinton’s presidential campaign, is a prime example of a successful social engineering attack. Attackers sent a spear-phishing email disguised as a legitimate Google security alert, informing Podesta that his password had been compromised and prompting him to change it. The email contained a link to a fake Google login page where Podesta entered his credentials. This seemingly simple act granted the attackers access to his email account, leading to the subsequent leak of thousands of sensitive emails. The key data point here is the exploitation of trust in a familiar service (Google) and the creation of a sense of urgency, leading the victim to bypass critical security thinking.