Not many people fully understand what social engineering is and how it has evolved over the years. When I first sat down to write about social engineering there were no agreed-upon definitions for it. I also realized that there was also very little literature on this field as it is still fairly new.
This popularisation of the term social engineering also came with some unplanned consequences. Because there was no commonly agreed upon definition for what social engineering really is and there are mixed opinions on what really forms part of social engineering. As an example, a group of security enthusiasts were asked “What is social engineering?” and their responses varied considerably:
“Social engineering is lying to people to get information.”
“Social engineering is being a good actor.”
“Social engineering is knowing how to get stuff for free.”
All of these answers encompass only a small part, which all forms part of what social engineering entails.
During the same time social engineering became an important topic, communication via e-mail became more widespread because it became the preferred medium for corporate communication over traditional mediums such as postal letters and faxes. The cost and effort of sending several thousand messages are significantly less than sending thousands of postal letters or faxes and this leads to an abundance of scams.
The instant popularisation of the field, with no standardised definition, as well as having a significant amount of research within the field of social engineering, primarily focusing on the phishing aspect, have had a significant impact on the field.
Having no formalised definition for social engineering has had several secondary consequences. The field of social engineering does not have anyway to determine what it actually entails due to the lack of a formal definition and as a result of this, there is also no standardised attack framework that explains the full process of a social engineering attack.
Having a standardised attack framework would have helped a someone correctly and comprehensively document a social engineering attack ., but since there is no existing attack framework, there are limited social engineering attack examples documented which has caused the detection side of social engineering to be ignored.
In a 1995 publication, the authors Winkler and Dealy posit that the hacker community has started to define social engineering as “the process of using social interactions to obtain information about a victim’s computer system.” The most popular definition of social engineering is the one by Kevin Mitnick who defines it as “using influence and persuasion to deceive people and take advantage of their misplaced trust in order to obtain insider information”.
Current definitions specify different ideas as to what social engineering involves. However, the only element that all of these definitions have in common is that a human is exploited in order to gain some unauthorised information or perform some action.
Social Engineering is focused on taking advantage of peoples inherent desire to trust in order to gain access to their sensitive information. It is my goal to equip the public with the skills to become more vigilant about cyber attacks and the ways they can protect themselves.
These are the definitions that I will be referring to throughout my articles and training.
Social Engineering: The science of using social interaction as a means to persuade an individual or an organisation to comply with a specific request from an attacker where either the social interaction, the persuasion or the request involves a computer-related entity.
Social engineer (noun): An individual or group who performs an act of Social Engineering.
Social engineer (verb): To perform an act of Social Engineering. When the verb is used in the Past Perfect form, it means a successful Social Engineering attack has occurred. For example, “The target may not know that he or she has been social engineered.”
Social Engineering attack: A Social Engineering attack employs either direct communication or indirect communication, and has a social engineer, a target, a medium, a goal, one or more compliance principles, and one or more techniques.
These definitions are used to identify three different subcategories of a Social Engineering Attack Classification, as well as to develop a structured Social Engineer Attack Classification.