People use social engineering to break into systems and attain information because it’s often the simplest way for them to get what they’re looking for. They’d much rather have someone open the door to the organization than physically break in and risk being caught. Security technologies such as firewalls and access controls won’t stop a determined social engineer.
Many social engineers perform their attacks slowly to avoid suspicion. Social engineers gather bits of information over time and use the information to create a broader picture of the organization they’re trying to manipulate. Therein lies one of their greatest assets: time. They’ve got nothing but time and will take the proper amount necessary to ensure their attacks are successful Alternatively, some social engineering attacks can be performed with a quick phone call or e-mail. The methods used depend on the attacker’s style and abilities. Either way, you’re at a disadvantage.
Social engineers know that many organizations don’t have formal data classification programs, access control systems, incident response plans, or security awareness programs, and they take advantage of these weaknesses.