Cybersecurity 101: What Is Social Engineering?

In the cybersecurity industry, we use a lot of buzzwords and acronyms, which, while helpful at times, can also confuse our meaning.

In an effort to promote clarity, we are kicking off our cybersecurity 101 blog post series which will help set a standard for cybersecurity term definitions. We’ll begin with Social Engineering—what it is, how it works, and how you can protect yourself against it.

What is social engineering?

Definition: Social engineering is a type of attack where scammers trick people into giving them access to sensitive information through a combination of manipulation and human.

Social engineering techniques, including phishing in-person attacks, phone calls, and more, take advantage of a victim's trust to evade perimeter defenses, steal data, and access private networks. While easy to define, these social engineering attacks typically aren't easy to recognize in real-time. 

How does social engineering work?

Attackers are experts and know how to earn your trust, hijacking your typical thought process to make you cooperate on their behalf. These interactions can seem so routine that you may not realize your mistake even after the crime has been committed. Social engineering can range from a malicious email attachment to a "friendly" visitor in the office.  

Instead of finding the key, it is easier for criminals to ask someone to hold the door. For example, let's say you get a call from Joe Smith, who says he works in IT at your company and needs to initiate a new software update on your computer. He mentions your manager has put in the request for you. Joe needs your login password to start this update, so you give it to him over the phone. Later, you find out your computer has been hacked and someone has been sending emails on your behalf. Joe did not work for your company; he used social engineering to manipulate you into thinking he did by his conversational tone. 

How to protect against social engineering?

Socially engineered attacks are centered on people, not technology. Individuals should be educated on being able to recognize and report attempts that get through.

To help you and employees at your company avoid social engineering attacks, check out our customizable training materials.

Subscribe to the Proofpoint Blog