What are social engineering attacks?
Social engineering attacks attempt to trick users into doing something that goes against security policies and procedures. They are often successful because instead of attacking technological vulnerabilities, they prey on human curiosity, trust, or the desire to help. Social engineering uses many approaches to get an individual to share confidential information or take other actions that might compromise security.
- Phone calls—The attacker might simply call the victim, pretending to be someone else to request information.
- Shoulder surfing—This is the practice of spying on or looking over the victim’s shoulder to obtain personal information such as usernames, PIN numbers, or passwords.
- Phishing—In a phishing attack, an email that appears to come from a legitimate sender (either an individual or an organization) is sent to the victim. The email may simply ask for sensitive information (e.g., passwords or credit card numbers), or it may include a link for the user to click on to perform some “necessary” action in response to the email. This takes the user to a fraudulent website where the user may be asked to provide sensitive information. The user might also be tricked into clicking on a URL that downloads malware or plants a backdoor into the user’s system that gives the attacker a way into the system at a later time.
- Piggybacking—An unauthorized individual might follow an authorized person into a restricted area. The unauthorized individual might pretend to be a delivery person, for example, and ask the authorized individual to hold the door open.