17. Explain the term ‘social engineering’ (AC 4.1)

What is social engineering? Social engineering is a form of a cyberattack where the criminals manipulate or deceive people. Instead of hacking into a systems through technical means, they trick people into giving away sensitive information, like passwords, bank details, personal data or company login credentials. This could involve the attacker pretending they're trusted figure, creating fake website or psychological manipulation to make the victim act without thinking. The main purpose of social engineering is to gain access to systems, networks, or physical locations. The ultimate goal is usually money, data theft or it can be just one step of a much bigger cybercrime. Why do criminals use social engineering? The main reason cyber criminals use social engineering is because it's very often the fastest route to whatever nefarious goal they have. In comparison, hacking is more labour and resource intensive, they'd have to go through firewalls, encryption and if it's a big organisation, they'd have to go through a whole team of cyber security professionals who's job is to stop attacks like this. On the other social engineering is a lot easier. Here's an example , they might call an employee pretending to be IT support, saying there's an urgent matter that needs resolving and for that they need the employee's password. If the employees falls for it, the attacker now has direct access. This is known as Pretexting Phishing is another form of social engineering. A good example is where an attacker sends fake emails pretending to be from any number of legitimate sources, like the employer, the bank or insurance. The email is almost always urgent, asking the future victim to quickly click the link to solve whatever problem there is. Such as "Your account has been compromised! Reset your password now! Click here!" This causes people panic and are more likely to act without questioning the legitimacy of the request. How does social engineering work? It works by exploiting human psychology. Unlike a good system or network, that you can design to be impenetrable. Humans are susceptible to easy manipulation tricks. Authority Attackers often pretend they're someone important, like your boss, police officer, IT support. This causes the victim to obey the instructions without giving them much thought. Fear and urgency Creating panic to pressure someone into acting without thinking, or the opportunity to talk to someone about this, leaves the victim mindlessly following whatever the attacker is demanding. Trust and familiarity Impersonating a friend, a colleague, or family member to gain the victim's trust and confidence. "It's my cousin's wedding. Of course I'll click the link to see the wedding photos." Curiosity and greed Attackers often offer fake prizes, job offers or exciting deals to lure victims into clicking malicious link. Attackers don't have to rely on emails to conduct their crime, they'll use any means necessary: phone calls, texts messages, mails, fake website and in-person interactions. The key takeaway from all this is that social engineering doesn't target computer systems but people.