Social engineering is a term that is widely used but poorly understood. It’s a type of information security attack that depends primarily on some type of human interaction. Social engineers often use some technical tools, such as phishing emails or fake websites, but it’s the human interaction, an effort to prey on human weakness, that defines an attack as social engineering. Social engineering means tricking or coercing people into revealing information or violating normal security practices.

Social engineers carry out scams meant to get them information that doesn’t belong to them. For example, they may pass themselves off as part of an organization’s tech-support team and then call around asking employees for their passwords. Or they may simply dress or act in a way that fools someone into thinking they have more influence or importance than they do.

All attacks, such as viruses, Trojan horses, scareware, and phishing emails, rely on some element of human interaction or trickery to be effective. Virus writers use social engineering tactics to persuade people to open malware-laden email attachments. Phishers convince people to divulge sensitive information. Scareware vendors frighten people into running software that is useless at best and dangerous at worst.

Social engineering also relies on most people’s ignorance of just how valuable their personal information or authority may be to someone looking to steal, use, or sell it. They may not realize that a seemingly useless small piece of information they have just divulged represents an important piece in a larger puzzle that some attackers are trying to solve. Social engineering is so dangerous because, when successful, it results in an authorized individual carrying out actions on behalf of an unauthorized party. Nearly all security controls are based on the assumption that authorized subjects should be trusted. If an attacker can trick a legitimate user into doing something the attacker isn’t authorized to do, those actions are hard to stop and to track. Attackers know that successful social engineering attacks are often the most productive and least likely to set off alarms.

You must learn how to look out for such attacks and evade or thwart them before a breach occurs. It all starts with educating users on how to identify social engineering attacks on the front lines.