Social engineering is a method used to gain unauthorised access to information or IT systems by eavesdropping on employees. In social engineering, an attacker generally makes direct contact with a victim (e.g. over the phone, by e-mail, or even on social networks). Attacks using social engineering often comprise several stages. By simulating insider knowledge and simultaneously appealing to an employee’s willingness to help, an attacker can expand their knowledge step by step. If employees are not made sufficiently aware of this type of attack, they could be manipulated into performing unauthorised tasks through skilled persuasion. This may result in them passing on internal information, being infected by malware or even transferring money to purported business partners.
In the case of CEO fraud, for example, employees who are allowed to transfer money in the name of their organisation are made to believe that they have a fictitious order from their boss. They are told to execute transactions for a supposedly urgent and confidential deal which is vitally important to the continued existence of the organisation.