Social engineering

Social engineering refers to the use of psychological manipulation as part of a cyber-attack. This includes the use of basic manipulation techniques in phishing emails, such as a claim that the recipient has won a lottery, and more complex scams that involve the social engineer gaining physical access to the premises of an organisation. Social engineering has been identified as one of the most serious cybersecurity attack vectors; yet there is a lack of research into social engineers and the techniques used. Often these techniques are based on exploiting decision-making heuristics – the mental shortcuts that we use in our daily lives to help us navigate our complex social worlds. For instance, the inclusion of a logo of a bank on a phishing email would be an attempt to utilise the representativeness heuristic, in which we judge something to be more legitimate if it is familiar. This chapter explores the psychological factors relevant in social engineering attacks, drawing upon examples provided by ethical social engineers who work to help organisations and individuals protect themselves.