Social Engineering

Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick them into giving up their passwords or bank information, or to access their computer to secretly install malicious software. It's a dangerous threat because it relies on human error rather than vulnerabilities in software and operating systems. The attacker's main tool is deception and building trust. One common tactic is pretexting, where an attacker invents a scenario (a pretext) to persuade a targeted victim to release information or perform an action. For example, an attacker might impersonate an IT support technician to trick an employee into revealing their login credentials. Another tactic is baiting, which uses a false promise to pique a victim's curiosity or greed. An attacker might leave a malware-infected flash drive in a conspicuous area, labeled 'Confidential Payroll Info.' An employee who picks it up and plugs it into their computer out of curiosity would unknowingly install the malware. Quid pro quo involves a promised benefit in exchange for information, like an attacker posing as a researcher and offering a small gift in exchange for a user's password. The best defense against social engineering is awareness and education. Employees should be trained to be suspicious of unsolicited requests for information, to verify identities before complying with requests, and to follow established security policies.