In the context of information security, social engineering may refer to the psychological manipulation, influencing or deception of people, usually based on fraud, into taking actions or divulging confidential information for the purpose of obtaining information or gaining control and access of a computer system. This type of activity may be viewed as an attack vector that may rely heavily on human interaction and may often involve obtaining a person's trust and exploiting that trust by tricking that person into breaking normal security procedures.
Various techniques are used that appeal to vanity, appeal to authority and appeal to greed. Further, many social engineering exploits may simply rely on people's willingness to be helpful. For example, the attacker might pretend to be a co-worker who has some kind of an urgent problem that requires access to additional network resources.
There are several types of social engineering attacks, such as, e.g., digital attacks, phone attacks and in-person attacks. These attacks can originate from different sources, which can also be referred to as communication sources.
Digital attacks may use email or text messages in tricking a person into clicking malicious link or opening an infected attachment. These types of attacks are often referred to as “Phishing.” Phishing may involve maliciously deceiving users into activating software that allows an attacker to take control of the victim's computer, as well as deceiving users into providing information directly to the attacker. Often, this attack technique includes a malicious party sending one or more communications to a potential victim. These communications can be in the form of fraudulent email disguised as a legitimate email, often purporting to be from a trusted source, such an executive within a company, e.g., Chief Executive Officer (CEO), or bank or credit card company. In some cases, once the victim opens the fraudulent email message, or goes to a fraudulent web page, a viral payload may be delivered to the victim's computer. Once installed, the user's computer can often be controlled to perform other malicious activities such as accessing data, sending out spam emails, attacking other computers, infiltrating a closed network, or installing additional harmful software, such as Ransomware.
A variation of phishing is spear phishing, which is similar to phishing, but tailored for a specific individual or organization. Generally, spear phishing is a technique that may fraudulently obtain private information by sending highly customized emails to a few end users. This customized approach is one example difference between spear phishing and normal phishing campaigns, which focus on sending out high volumes of generalized emails with the expectation that only a few people will respond. On the other hand, spear phishing emails may require the attacker to perform additional research on their targets, in order to “trick” end users into performing requested activities.
Phone attacks can be used to make a person feel a sense of urgency to act in order to prevent a negative consequence. These attacks may attempt to have the person take an action that may put that person and that person's information at risk. These types of attacks are often referred as “Vishing”. Vishing typically uses a live person or a rogue interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the “bank” via a (ideally toll free) number provided, in order to “verify” information. A typical “vishing” system may reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems may transfer the victim to the attacker/defrauder, who poses as a customer service agent or security expert for further questioning of the victim.
Pretexting is an in-person attack and occurs when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data, in order to confirm the identity of the recipient.
Social engineering also takes advantage of new communication channels that are being developed. For example, social networks, such as Facebook, often incorporate their own chat and voice channels. Smartphones and other mobile devices integrate various of VoIP, encrypted chat, texting, messaging, stickers, short videos, and other means of communication. In addition to these, augmented reality and virtual reality communication channels are being developed. Further, over-the-top services and applications, such as Skype, Facetime and WhatsApp, bypass traditional network distribution approaches and run over, or on top of, core Internet networks. As with existing forms of communication channels, these new communication channels are susceptible to social engineering attacks.