Social Engineering
What is it and how can we defend against them
In cybersecurity, social engineering refers to the use of psychological manipulation to trick people into revealing confidential information or performing actions that compromise security. Instead of hacking into systems through technical means, attackers exploit human behavior—such as trust, fear, urgency, or curiosity.
Here's how it works:
Social engineering attacks often follow a pattern:
- Research: The attacker gathers information about the target (e.g., job role, contacts, habits).
- Engagement: They initiate contact—via email, phone, social media, or in person.
- Manipulation: They use persuasive tactics to gain trust or create a sense of urgency.
- Exploitation: The victim is tricked into giving up sensitive data, clicking a malicious link, or granting access.
Common Types of Social Engineering Attacks
| Type | Description | Example |
|---|---|---|
| Phishing | Mass emails that appear legitimate | Fake bank alert asking for login details |
| Spear Phishing | Targeted phishing aimed at a specific person | Email pretending to be from a colleague |
| Whaling | Phishing aimed at executives | CEO receives fake invoice request |
| Pretexting | Attacker creates a fabricated scenario | Pretending to be IT support to get passwords |
| Baiting | Luring victims with something tempting | USB drive labeled “Confidential” left in office |
| Tailgating | Gaining physical access by following someone into a secure area | Pretending to be a delivery person |
How to Defend Against Social Engineering
- Security Awareness Training: Teach employees how to recognize and respond to suspicious behavior.
- Verify Requests: Always confirm sensitive requests through a second channel.
- Limit Information Sharing: Be cautious about what is shared publicly or on social media.
- Use Multi-Factor Authentication (MFA): Adds a layer of protection even if credentials are compromised.
- Report Incidents: Encourage a culture of reporting suspicious activity.
Social engineering is effective because it targets the human element, often considered the weakest link in cybersecurity.