Social Engineering
The psychological manipulation of people into performing actions or divulging confidential information, exploiting human trust rather than technical vulnerabilities. Techniques include pretexting (fabricating scenarios), baiting (leaving infected USB drives), tailgating (following authorized personnel through doors), quid pro quo (offering something in exchange), and influence campaigns. Social engineering is often the first stage of a larger attack chain and is the most difficult threat to defend against technically. Kevin Mitnick famously demonstrated that humans are the weakest link in security. Social engineering principles are tested in Security+, CEH, and CISSP certifications.
Why It Matters
In practice, social engineering is critical because it bypasses even the most sophisticated technical security controls by targeting the human element, which cannot be patched or updated like software. Organizations that fail to train employees against social engineering face account compromises, unauthorized physical access, and data breaches initiated through manipulated insiders. The MGM Resorts and Caesars Entertainment breaches in 2023 both began with social engineering calls to help desk staff, resulting in hundreds of millions of dollars in losses. AI-powered voice cloning and deepfake video are making impersonation attacks increasingly convincing and harder to detect. On certification exams such as Security+, CEH, and CISSP, expect questions about identifying social engineering techniques by name, understanding the psychology of influence principles like authority and urgency, designing security awareness programs, and evaluating physical security controls against tailgating and impersonation.
Practice this topic
Test your knowledge of Social Engineering concepts with exam-style practice questions.
Related Threats & Attacks terms
Malware
Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems, encompassing a broad category of threats including viruses, worms, trojans, ransomware, spyware, adware, and rootkits. Malware can be delivered through phishing emails, malicious downloads, drive-by downloads, USB drives, or supply chain attacks. Defense strategies include endpoint protection (antivirus/EDR), application whitelisting, user awareness training, and keeping software patched. Malware analysis (static and dynamic) is a specialized skill used in incident response and threat intelligence. Malware types and defenses are fundamental topics in Security+, CEH, and CySA+ certifications.
Ransomware
A type of malware that encrypts a victim's files or locks system access and demands a ransom payment (typically in cryptocurrency) for the decryption key. Modern ransomware attacks often involve double extortion — encrypting data and threatening to leak it publicly. Ransomware-as-a-Service (RaaS) has lowered the barrier for attackers, with groups like LockBit, BlackCat, and Cl0p operating affiliate programs. Prevention includes offline backups, network segmentation, email filtering, endpoint detection, and patch management. Ransomware incident response is a critical topic in CISSP, CySA+, and incident response certifications.
Phishing
A social engineering attack that uses fraudulent emails, text messages (smishing), or phone calls (vishing) to trick users into revealing sensitive information like credentials, financial data, or installing malware. Phishing is the most common initial attack vector, responsible for over 80% of reported security incidents. Variants include spear phishing (targeted), whaling (targeting executives), and business email compromise (BEC). Defenses include email authentication (SPF, DKIM, DMARC), security awareness training, URL filtering, and multi-factor authentication. Phishing recognition is tested in Security+, CEH, and every major cybersecurity certification.
SQL Injection
A code injection technique that exploits vulnerabilities in a web application's database layer by inserting malicious SQL statements into input fields or URL parameters. Successful attacks can extract, modify, or delete database contents, bypass authentication, or execute operating system commands. Types include in-band (UNION-based, error-based), blind (boolean-based, time-based), and out-of-band SQL injection. Prevention requires parameterized queries (prepared statements), input validation, stored procedures, and web application firewalls (WAFs). SQL injection is consistently ranked in the OWASP Top 10 and is heavily tested in CEH, OSCP, and web security certifications.
Cross-Site Scripting (XSS)
A web security vulnerability that allows attackers to inject malicious client-side scripts (usually JavaScript) into web pages viewed by other users, potentially stealing session cookies, credentials, or performing actions on behalf of victims. Three main types exist: Stored XSS (persisted in the database), Reflected XSS (included in the server response from user input), and DOM-based XSS (executed entirely in the browser). Prevention includes output encoding, Content Security Policy (CSP) headers, input validation, and using modern frameworks with built-in XSS protection. XSS is a persistent OWASP Top 10 vulnerability and a core topic in CEH, OSCP, and web application security exams.
DDoS (Distributed Denial of Service)
An attack that overwhelms a target system, service, or network with a flood of traffic from multiple distributed sources (often a botnet), making it unavailable to legitimate users. DDoS attacks operate at different layers: volumetric (bandwidth flooding), protocol (SYN floods, Ping of Death), and application layer (HTTP floods, Slowloris). Mitigation strategies include CDN-based protection (Cloudflare, AWS Shield), rate limiting, traffic scrubbing centers, and anycast routing. DDoS attacks can cause significant financial damage through downtime and are a common threat assessed in Security+, CEH, and CISSP certifications.