Social Engineering is the art of gaining access to a secured system or resource by exploiting human behavior. It involves tricking people into breaking normal security procedures. Most attack vectors rely heavily on leveraging technical skills to find gaps in the security system. Social Engineering relies heavily on having a good understanding of human psychology. Thoroughly researching the target before an attack makes social engineering a powerful tool in the hands of the attacker.
* Baiting: Leaving a malware-infected USB at a coffee shop in the hope that someone will be curious enough to plug it in and check it out. Once the person plugs the USB in, malware is installed on their computer. See "More Information" for a Black Hat talk about leaving infected USB drives behind for potential targets and the results of such attacks.
* Pretexting: Telling lies to gain access to private information. An example would be impersonating a bank officer and asking people for personal information to "confirm their account." See "More Information" for a pretexting example where a social engineer makes changes to a target's cell phone account with very little known information.
* Phishing: Sending an email which looks like it is from a trusted source to bait the user into clicking a link (to install malware) or replying with private information.
* Infiltrating: Impersonating someone legitimate in order to gain physical access to a secured location; for example, accessing an office by pretending to be the coffee-machine repair person.
* Lastly, the 419 scam, also known as Advanced-Fee Scam, is a real life example of social engineering. In Nigeria and other third world countries, people would manipulate people by connecting with people using emotional connections in order to scam money. Usually strategies would include: third world poor country status in need of donations or informing people they won scam money and asking for account numbers. These emails would be very convincing and many have fallen victims to these scams.
* Tailgating: Also called piggybacking and relating closely to Infiltrating, tailgating describes the act of following someone else - often people or group of people with access cards - into a building or secure area with or without their consent.
In general, the more you know about these attacks, the better prepared you will be to combat them. Be conscious of who you share information with and why.
