# Social engineering

**What is social engineering?**

Social engineering is the deliberate manipulation of people in order to obtain credentials, information or money. The attacker poses as someone trustworthy, such as a manager, a supplier or a technician, and exploits helpfulness, time pressure and authority.

In a normal working day it rarely looks dramatic. The phone rings and the caller introduces himself as a technician from your IT provider who needs remote access for a moment because of a fault. An email asks for an invoice to be released quickly. A text message appears to come from the managing director. The route through the front door also exists, where a visitor presents himself as a service engineer and is shown into the server room.

The warning signs repeat themselves across every channel. Pressure is applied, the matter is urgent, and the normal procedure is to be skipped once for a plausible reason. Confidentiality is requested so that the person approached asks nobody else. The request arrives through an unusual channel, perhaps a private mobile number or an address that closely resembles a familiar one. Anyone who recognises this pattern can hold the request before damage occurs.

The sensible first step is a fixed procedure for the three transactions that carry the most weight in a small business: payment approvals, changes to bank details and password resets. Each of them requires verification through a second channel, meaning a call back to the number held in your own records. Equally important is explicit permission for your staff to delay an urgent instruction until it has been verified. That permission has to come from the management, because otherwise the pressure outweighs the rule.

Technology limits the damage once a deception succeeds. Two-factor authentication, a second proof of identity in addition to the password, largely devalues a password that has been handed over. Tight permissions limit how far a hijacked account can reach. Logs show afterwards what actually happened. An IT Check examines precisely these points: accounts, permissions, email protection and the question of who can reach your systems from outside.

## Related terms
- [Phishing](https://vetosec.at/en/it-security/phishing/)
- [CEO fraud and invoice fraud](https://vetosec.at/en/it-security/ceo-fraud/)
- [Security awareness training](https://vetosec.at/en/it-security/awareness-schulung/)
- [Two-factor authentication (2FA)](https://vetosec.at/en/it-security/zwei-faktor-authentifizierung/)

## Source
https://vetosec.at/en/it-security/social-engineering/ (vetosec, angriffe)
