Social Engineering

Introduction to social engineering

The aim of hacking is to compromise systems and applications. Social engineering attackers attempt to exploit the users of these systems by pretending to be employees, vendors, or even support personnel to try to trick the workers of those organizations. Unaware and unprepared employees are the ones who’re most vulnerable to social engineering attacks. Attackers may appeal to these people’s willingness to help others or take advantage of their lack of knowledge to try and get them to reveal information that would compromise the system.

Traditional protection from viruses and malware, i.e., antiviruses, cannot protect organizations from social engineering attacks. Rigid training sessions and drills need to be conducted regularly to ensure employees don’t fall for the attackers’ tricks. Some employees may also not care either way, so there should be failsafe mechanisms in place to ensure that attackers don’t take advantage of these willing employees. These mechanisms also should protect the system in case of a breach.

Let’s see what the general flow of a social engineering attack looks like:

1. The attacker gathers information on their target before establishing contact.

2. The attacker initiates contact with their target and gradually gains their trust—for example, by pretending to be from the IT team.

3. The target breaks security protocol and hands over confidential information to the attacker without even verifying their identity first.

4. The confidential information includes the target user’s credentials, which the attacker then uses to compromise the target’s system.