Social engineering
Social engineering, often termed as "human hacking," involves the manipulation of individuals into divulging confidential information or engaging in specific actions. Primarily reliant on interpersonal interactions, this technique exploits the natural human inclination to assist others. While often linked to criminal activities, such as those perpetrated by hackers, social engineering is also utilized in legitimate contexts, including corporate and national security efforts aimed at protecting sensitive data.
The process typically begins with intelligence gathering, where information about a target is collected from various sources, including social media or physical waste. This foundational knowledge enables the social engineer to construct a convincing pretext for interaction, such as posing as a colleague or a reputable authority figure, thereby encouraging the target to share information willingly.
Although many may perceive social engineering as a distant concern, it is a practice that touches everyone’s lives, as everyone has, at some point, navigated social interactions to influence others. Importantly, anyone can be a potential target, emphasizing the need for awareness about the risks associated with social engineering tactics.
On this Page
Subject Terms
Social engineering
Social engineering, sometimes referred to as human hacking, refers to the art and technique of convincing people to release confidential information or engage in a course of action they may not necessarily choose for themselves. Oftentimes associated with security testing services, social engineering makes up a critical part of “red cell missions” in which security penetration testers attempt to gain access to confidential or proprietary information to better understand the limitations of established security techniques. Social engineering may involve different types of technology, but it is primarily based on the interactions between people and an inherent desire for people to help one another. A common form of online social engineering is phishing.
Overview
Criminals and con artists engage in social engineering, but this not to say that the practice concerns only those operating outside the law. While the term initially got its name from the activities of computer hackers attempting to influence people into divulging personal or confidential information about themselves or their company, it has evolved into much more than an illegal pursuit for profit. Social engineering is employed by a variety of people within the corporate and national security industries in order to make sure that personal and commercial data is kept safe.
The cornerstone of a successful social-engineering approach is the collection of intelligence. Intelligence consists of the all the actionable information one can compile about the target of an attack in order to gain the highest likelihood of success. During the process of intelligence gathering, it may be impossible to tell what information may be actionable so anything one can gather at this stage may later be useful. Intelligence can be gathered from a variety of sources, ranging from personal postings on the Internet to rummaging through the target’s trash. Once sufficient intelligence has been gathered, the target is approached either in person, by phone, or by e-mail.
The best approach consists of developing a believable pretext in order to successfully use the information gathered to ask questions and direct action. The type of pretext that is most successful is one that puts the target at ease in divulging information. Are you a fellow employee from another department? A new acquaintance at the bar who holds similar interests and views as the target? Someone from an institution with which they are familiar or highly respect? The answers to these questions depend greatly on the information gathered and how this allows the social engineer to craft questions and approaches that lead to the desired outcome.
While the concept of social engineering may seem to be far removed from the lives of most people, it is important to remember that everyone has engaged in, or been influenced by, the process of social engineering. While most people have not approached someone with the intended goal of obtaining confidential corporate information, everyone has at some point in their life used what they know about someone to gain information or shape the other’s person’s behavior. Equally important is to remember that anyone could potentially be the target of a social engineering attack regardless of how important they view their role within a particular business.
Bibliography
Conheady, Sharon. Social Engineering in IT Security: Tools, Tactics, and Techniques. New York: McGraw, 2014. Print.
Contos, Brian T. Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management Countermeasures. Waltham: Syngress, 2007. Print.
De Becker, Gavin. The Gift of Fear and Other Survival Signs That Protect Us from Violence. New York: Random, 1997. Print.
Hadnagy, Christopher. Social Engineering: The Art of Human Hacking. Indianapolis: Wiley, 2011. Print.
Long, Johnny. No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Waltham: Syngress, 2008. Print.
Mann, Ian. Hacking the Human: Social Engineering Techniques and Security Countermeasures. Burlington: Gower, 2008. Print.
Mitnick, Kevin D., and William L. Simon. The Art of Deception: Controlling the Human Element of Security. Indianapolis: Wiley, 2002. Print.
Mitnick, Kevin D., and William L. Simon. The Art of Intrusion: The Real Stories behind the Exploits of Hackers, Intruders, and Deceivers. Indianapolis: Wiley, 2006. Print.
"What Is Social Engineering?" IBM, 14 June 2022, www.ibm.com/think/topics/social-engineering. Accessed 15 Jan. 2025.
Wiles, Jack, et al. Low Tech Hacking: Street Smarts for Security Professionals. Waltham: Syngress, 2012. Print.