It’s a method of persuading people to reveal sensitive information in order to perform malicious action. With the help of social engineering tricks, attackers can obtain confidential information, authorization details, and access details of people by deceiving and manipulating them.
Attackers can easily breach the security of an organization using social engineering tricks.
All security measures adopted by the organization are in vain when employees get “social engineered” by strangers. Some examples of social engineering include unwittingly answering the questions of strangers, replying to Spam email, and bragging in front of co-workers.
Most often, people are not even aware of a security lapse on their part. Chances are that they divulge information to a potential attacker inadvertently. Attackers take special interest in developing social engineering skills, and can be so proficient that their victims might not even realize that they have been scammed. Despite having security policies in place, organizations can be compromised because social engineering attacks target the weakness of people to be helpful. Attackers are always looking for new ways to gather information; they ensure that they know the perimeter and the people on the perimeter security guards, receptionists, and help desk workers in order to exploit human oversight. People have been conditioned not to be overly suspicious; they associate certain behavior and appearance with known entities. For instance, open seeing a man dressed in a uniform and carrying a stack packages for delivery, any individual would take him to be a delivery person.
Companies list their employee IDs, names, and email addresses on their official websites. Alternatively, a corporation may put advertisements in the paper for high-tech workers who are trained n oracle databases or UNIX servers. These bits of information help attackers know what kind of system they are tackling. This overlaps with the reconnaissance phase.
Reference: CeHv8