Social engineering

by John Bandler

Here is a quick definition of the term and explanation of cybersecurity best practices.

Social engineering definition in sum

Social engineering is simply, trickery, or con artistry.

Many cybercriminals rely upon social engineering to accomplish their crimes.

This means they trick a person into doing something they should not do. This could be tricking them into:

  • Clicking a link
  • Opening an attachment
  • Sending funds to a certain place
  • Forwarding certain funds transfer instructions to another person
  • Providing sensitive information, like a password, two-factor authentication code, social security number, date of birth, etc.

The fact of social engineering reinforces that people and their knowledge, awareness, and decisions, are the most important part of cybersecurity.

Even if cybersecurity and cybercrime prevention technical measures are in place, if a person does the cybercriminals bidding or lets the cybercriminal in, those technical measures will be defeated.

Social engineering can be a process that occurs over seconds, minutes, hours, days, and even months.

The brick and mortar analogy

Social engineering has been happening long before computers. Imagine a person knocks on your door, and pretends to be a utility worker, but is in fact a thief. You unlock the bolt and let them in. It doesn't matter how strong the door and lock were, because you let them in when they asked to come in.

Cybercrime typologies that rely on social engineering

This is really a laundry list, but I tried to order it from high social engineering (con artistry) input to lower:

  • Romance scams ("pig butchering")
  • Scams against seniors and the elderly
  • Email based funds transfer frauds
  • Business email compromise (BEC)
  • CEO Fraud, CFO Fraud, CXO Fraud
  • Data breach
  • Ransomware

Social engineering defense best practices in sum

Best practices to defend against social engineering are with my First Pillar of the Four Pillars of Cybersecurity, knowledge and awareness.

When we are knowledgeable and aware of cybercrime threats and good cybersecurity practices, we will make better decisions and be resistant to trickery.

  • Evaluate inconsistencies, discrepancies, errors, changes
  • Have a verbal conversation to confirm
  • Know who you are dealing with. Take steps to confirm identity (see Attribution, coming someday)
  • Don't rush, and be suspicious if someone is trying to rush you
  • Know what action you are really taking and why
  • Ask a trusted person that you know in real life
  • Emotions can be powerful. But look to facts and logic.

Related terms

This is a key term definition article

I have decided to experiment by creating short webpages to provide definitions and best practices for certain key terms. This is one of those webpages.

These are terms that I have explained or defined dozens or even hundreds of times in my life, either through conversation or in writing. After explaining the term I try to explain best practices relating to those terms. These are terms or guidance that may appear in my cybersecurity policies.

Disclaimer

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform. You need to assess your own risks and decide. You assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words so cannot exhaustively cover all areas.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.

Conclusion

If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

This article is hosted at https://johnbandler.com/social-engineering, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at NOT YET (though not kept as up to date).

Originally posted 6/22/2023, updated 6/28/2023.