Social engineering (SE) is the practice of obtaining confidential information by the manipulating of legitimate holders of sensitive information. Often the attacker will try to convince the victim that that they are in a formal position of authority and they will trick the person to reveal sensitive information or carry out an act which is contrary to the organisation’s policies.
Approaches can be made:
- By telephone
- Face to face
- Email (exploratory or spoofed – eg appearing to come from a colleague)
- By searching through waste
- Web searches
- Statutory company returns
- Online open information, such as CVs
- Advertising
The UK’s CPNI, formerly the National Infrastructure Security Co-ordination Centre, has some excellent background on SE, with explanations of the above categories of attack, and provides advice on how to reduce the risk of it happening to you. Click here to download a copy of their publication.