Social engineering is a term that is widely used but poorly understood. It’s generally defined as any type of attack that is nontechnical in nature and that involves some type of human interaction with the goal of trying to trick or coerce a victim into revealing information or violate normal security practices.
Social engineers are interested in gaining information they can use to carry out actions such as identity theft or stealing passwords, or in finding out information for later use. Scams may include trying to make a victim believe the attacker is technical support or someone in authority. An attacker may dress a certain way with the intent of fooling the victim into thinking the person has authority. The end goal of each approach is for the victim to drop their guard or gain enough information to better coordinate and plan a later attack.
If it helps, you can think of social engineers in the same context as con artists. Typically, individuals who engage in this type of activity are very good at recognizing telltale signs or behaviors that can be useful in extracting information, such as the following:
Moral Obligation An attacker may prey on a victim’s desire to provide assistance because they feel compelled to do so out of a sense of duty.
Trust Human beings have an inherent tendency to trust others. Social engineers exploit a human’s tendency to trust by using buzzwords or other means. In the case of buzzwords for example, use of familiar terms may lead a victim to believe that an attacker is in the know or has insider knowledge of a project or place.
Threats A social engineer may threaten a victim if they do not comply with a request. Something for Nothing The attacker may promise a victim that for little or no work, they will reap tremendous rewards.
Ignorance The reality is that many people do not realize the dangers associated with social engineering and don’t recognize it as a threat.