This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is David Shipley.

What is it?

A human-centric manipulation technique that uses deceptive tactics to trigger emotionally driven actions that are in the interests of a cybercriminal or attacker.

Why is it important?

Exploiting people can be an effective means for criminals to bypass security processes and technology controls. Social engineering can be used to create a point of entry into a computing device, application, or network via an unsuspecting person.

Why does a business professional need to know this?

Social engineering attacks can cost millions of dollars. Recently, MacEwan University was the victim of a phishing attack that fooled employees into changing banking information for a major vendor. As a result, nearly $12 million was transferred to the attackers.

Social engineering can take many forms. It includes phone scams, face-to-face manipulation and deception, email-based phishing attacks, targeted spear phishing of specific individuals, and whaling attacks, which are aimed at senior executives. Social engineering poses a tangible business risk for security professionals, executives, and boards of directors alike.

Social engineering through phishing is a growing threat to individuals and organizations of all types. According to the 2016 Verizon Data Breach Investigations Report, 30 percent of targeted individuals will open a phishing email message, with 12 percent also opening attachments or URLs which may contain malicious code.

Over the past two years, a new type of social engineering attack targeting senior executives and financial departments has emerged. Known as whaling (because “big fish” are the targets), these attacks seek to deceive employees to authorize six, seven, and even eight-figure fraudulent wire transfers.

Countering social engineering requires organizations to think beyond technology-based defenses such as email filtering, firewalls, or endpoint detection. An effective technique to defend against social engineering is to identify and manage employees at risk and create an educated workforce that is aware of all forms of social engineering.

Engaging leadership and employees in managing the risks of succumbing to social engineering attacks can be an effective proactive strategy. Further, this creates a critical cultural shift from cybersecurity as an IT-centric service to cybersecurity as a shared responsibility.