Social engineering: what it is and how it works

Updated at: Oct 01, 2019
By Gatefy

Social engineering in practice

The following question will help you understand the term social engineering:

Is it easier, in general, to persuade, lie and manipulate a person to get important information or to break into his network or software to get the same information?

Think about this example. A fraudster wants to know a certain login and password to access a company's bank account. Would it be simpler to fool the company's accountant or find out a vulnerability in some software that he uses?

Bingo! In general, persuading and manipulating people requires less effort and ends up being very effective. When we talk about cybersecurity, this tactic is called social engineering.

What is social engineering in practice? How does it work?

We have said that, in general, social engineering requires less effort than an invasion based on software or network vulnerability, but that doesn’t mean that it is not laborious and deep. Quite the opposite.

Social engineers are smart, studious, and cunning people. Once they define a target, they do extensive research about it.

For example, if the target is a company, the hacker will gather as much information as he can about its operation, structure, employees, partners, and directors. To do that, he uses search engines, social networks and the company's website.

After that, the criminal focuses his efforts on the weaker side of cybersecurity: people, or the so-called “human factor”. Most of the time, to get what he is looking for, the hacker will deceive the victims trying to be someone else, such as an important director or a partner.

Example of a social engineering attack

One of the most famous examples of the implications that an attack using social engineering may cause involves the data breach of the security company RSA, in 2011.

A small group of employees of RSA received emails with an attachment: an Excel document. The email subject said something like "Recruitment Plan." What employees didn’t know: it was a malicious file, which opened a backdoor for the hackers. Because of this attack, it’s estimated that the RSA has spent about $66 million.