How is social engineering defined? We define social engineering this way. “Any act that influences a person to take an action that may or may not be in their best interest”. Our primary focus in this framework is malicious social engineering, however, both positive and malicious aspects of social engineering implement the same principles. With this in mind, it is also important to understand the psychological, physiological, and technological aspects of influence in general.
Top Methods of Malicious Social Engineering Defined
The top four methodologies of malicious social engineering are:
- Phishing: The practice of sending emails that appear to be from reputable sources with the goal of influencing or gaining personal information.
- Vishing: The practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing.” Similar to phishing, the goal of vishing is to obtain valuable information that could contribute to the direct compromise of an organization
- Impersonation: The practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.
- SMiShing: We define SMiShing as “the act of using mobile phone text messages (SMS) to influence victims into immediate action. These actions may include downloading mobile malware, visiting a malicious website, as well as calling a fraudulent phone number.”
Malicious social engineering is one of the greatest risks to information security. In fact, the 2019 Verizon Data Breach Investigation Report (DBIR) confirms that criminals actively target human weaknesses. For example, according to the DBIR, of the 2,013 confirmed data breaches, 33% included Social attacks. In a social attack, criminals target emotions such as fear, urgency, or obedience to influence decision making. Additional social engineering statistics can also be found on our infographic.
Categories of Social Engineers
Social Engineering and those who use it can be broken down in many categories. In the General Discussion section of this Framework we explore 11 categories. These range from professional spies, cyber criminals, and hackers to everyday people such as children, doctors, sales persons, and parents.
What to Expect
The principles in this Framework will help you clearly understand how criminals use malicious social engineering. Additionally, you will see how to use social engineering in a positive way. For instance, to develop and enhance communication skills and relationships. As well as to increase your own understanding of those with whom you interact.