Social Engineering

Abstract

This entry reviews the concept of social engineering, the use of deception to circumvent information security measures. While the term social engineering traces its roots back to attempts in the late 19th and early 20th centuries to manipulate social groups, the contemporary use of the term is rooted in the mid-20th century and its use among telephone enthusiasts or “phone phreaks.” Despite its associations with contemporary information and computer security, social engineering is fundamentally a social process that parallels the kinds of deceptive strategies and relational practices found in other forms of fraud and deception. As such, it involves the exploitation of human psychology and the rules governing social interactions. Social engineering may have significant impacts on victims beyond financial damages including emotional, psychological, relational, lifestyle, and employment harms. Relying on law enforcement to prevent these crimes is fraught with challenges. To prevent social engineering attacks, organizations may consider adopting a variety of policies and practices including providing education for organizational members on proper security practices, creating clear and strong policies to guide member decision making, ensure onboarding procedures for new employees involve security awareness training and related protocols, creating an organizational culture that values security, employing technologically based fraud prevention measures, and regularly engaging in social engineering penetration testing.