Social engineering is deception, manipulation or intimidation of a person to gain illicit access to information assets. It is difficult to prevent because it exploits human psychology to bypass security protections. Often, criminals and scam artists target a specific person and use publicly available information about that person to trick them into sharing sensitive, private information.
Even the most security-minded individuals may be deceived under the right circumstances. Threat actors exploit employees who are distracted or busy, target employees on vacation or choose specific times when an industry is busy. They use intimidation, fear and greed, and they even exploit the impulses of good people who try to be helpful.
The 2020 DBIR reported that social engineering is involved in 22% of the data breaches studied worldwide. The top social engineering attack methods were email (96%) and websites (3%). However, phone calls, text messages and social media are also common types of social engineering attack methods. The main compromise target for social engineering was credentials. However, threat actors also target personal data, internal business data, medical data and bank data.