Social engineering is a psychological attack against a company or an organization that aims to exploit people’s natural tendency to trust others. A social engineering attacker fabricates a pretext that is familiar to targets, and then preys on their cognitive biases to lull them into a false sense of security and trust. In short, the attacker assumes an alter ego that targets are expected to trust inherently.
Using this falsified trust relationship, the attacker coaxes targets to divulge sensitive data or perform an action they wouldn’t normally perform. Some leaked data, such as credentials, may be the end goal of the attacker. Other data, such as the name of a department manager, may be a means to an end.
The latter type of data may seem trivial, but that very fact is noteworthy for two reasons. First, because the information doesn’t seem important, targets are less likely to guard it closely. Thus, they’ll probably reveal it willingly without becoming suspicious. Second, social engineering is an iterative process. Every bit of information that an attacker gains is information that can be used to further strengthen the apparent legitimacy of the attacker’s pretext, which in turn instills greater confidence in targets, who are then more likely to divulge increasingly more sensitive information.
Social engineering may be considered a bold approach to hacking because it often requires attackers to make direct contact with their targets, either by telephone or in person. At the extreme end, an attacker will physically access areas intended to be restricted to the public, such as server rooms or vaults. These audacious social engineering tactics are often dramatized by Hollywood in heist films. And, just as in the movies, social engineering in the real world requires a great deal of research and planning, as well as elaborate pretexts.