Despite being an integral aspect of many, if not most, major attacks, social engineering tactics always seem to go underappreciated by enterprise security teams. However, it’s often easier to trick someone into opening an email and exploiting a vulnerability that way, or convincing an unsuspecting assistant to provide a few useful bits of information, than it is to directly attack a web application or network connection.

So, when attackers employ social engineering tactics, what exactly are they doing? Think of social engineering as the act of exploiting people instead of computer systems. That exploitation can come in the forms of convincing someone to provide physical entrance to the data center (perhaps by acting like an insider or service tech) or tricking someone into offering a password and user ID over the phone.

The techniques for social engineering range widely, as does the potentially targeted information. For example, we said that social engineering could include a phishing email that tricks a user to open an attachment that includes some type of exploit or payload. But social engineering techniques include showing up dressed as delivery people, tech support, corporate attorney, salespeople, job applicants—you name it and it probably had been attempted and likely been used successfully somewhere.

Often, it’s the goal of the social engineer to push an attack just one step further by obtaining a password, or even getting a name that can be dropped in a planned, deeper social engineering attack. Or, it could be as simple as attempting to obtain information about the network and computer systems and where data are held within the organization.

Any organization that wants to protect its information systems and intellectual property needs to be aware of social engineering threats and train employees to be able to quickly identify such attacks. People throughout the organization can be approached at any time: friended online, approached at trade shows, or have criminals act as insiders as part of an attack.