What is social engineering? In this Framework we define social engineering as “any act that influences a person to take an action that may or may not be in their best interest.”  Although we tend to focus on the malicious forms of social engineering, it is important to understand the psychological, physiological, and technological aspects of influencing a person in general. The same principles that are used in the positive sense can also be used maliciously.

We have broken down malicious social engineering into three top methodologies:

1. Phishing: The practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.
2. Vishing: The practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing.“
3. Impersonation: The practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.

Many consider social engineering tactics to be the greatest risk to information security. Statistics on these can be found on our infographic.

The principles presented in this Framework can be used to clearly understand how malicious social engineering is used against you as well as to develop and enhance communications, relationships, and your own understanding of those with whom you interact.