While social engineering is not considered to be a cyber attack, it can be the cause of one if organisations are not thorough enough to educate and protect their employees. 

Social engineering is a manipulation technique that targets the victim’s mind to exploit them. This tactic aims to lower the guard of their targets and encouraging them to commit unsafe actions like divulging personal information or opening suspicious attachments in emails. 

An example where social engineering is used to conduct a cyber attack is when a criminal impersonates an IT professional and sends a phishing email asking for an employee’s login information on the guise of patching up a security flaw. This tactic, when successful, allows the cyber criminal to have easy access without needing to conduct other attacks such as ransomware. 

One of the dangers of social engineering, which has become one of the most common methods of breaching an organisation’s initial defenses, is that a single person who is successfully fooled is enough to launch an attack that could affect the entire system. 

As with other kinds of manipulation tactics, social engineering’s first goal is to build false trust in their victims. During this period, the criminal gathers information about their victims in order to find something to exploit.    

After the criminal is able to gather enough information, they use it to impersonate a trustworthy source to establish a false sense of trust in their victims. Persuasion is then used to request information like login credentials from their victim. 

Once the criminal is able to gain access to the system, they then cease all communication with their victim and immediately conduct a cyber attack.  

The most common type of social engineering attack is phishing, which exploits human error in order to gain access to credentials or spread malware across the system.  

These attacks often manipulate the sense of urgency, curiosity or fear in victims in order to get them to reveal sensitive information through infected email attachments or links to malicious websites.  

In order to mitigate the threat of social engineering, consistent and tailored cyber training for employees is highly recommended. Training employees allows them to defend themselves against such attacks and to help them understand their role within the organisation’s security culture. 

A clear set of security policies should also be established so as to guide employees into making the best decisions when faced with social engineering attacks. This can be done through establishing password management, setting up multi-factor authentication, and beefing up email security with anti-phishing defenses. 

As social engineering attacks grow increasingly sophisticated over time, organisations should ensure that their employees are on top of the company’s security culture alongside updated cyber security protocols in order to mitigate human error.  

Eliza Sayon

Website | + posts

Eliza is a content producer and editor at Public Spectrum. She is an experienced writer on topics related to the government and to the public, as well as stories that uplift and improve the community.

• Developing an effective data ecosystem
• The journey of building an ecosystem through data
• NZ government strengthens data privacy laws against third parties
• eSafety Commissioner issues legal notice against Twitter