Social engineering is an umbrella term for any security exploit that relies on people's willingness to be helpful. A successful social engineering exploit depends on whether or not the attacker can trick someone else into making a mistake.
The purpose of this type of security exploit is to provide the attacker with legitimate credentials they can use to move laterally through target's network. This type of attack vector requires the attacker to have both soft skills and hard skills. Soft skills help the attacker gain initial access and hard skills help them to escalate privileges.
Social engineering is as dangerous and harmful as any other cybersecurity attack.
Phishing and spear phishing are two common social engineering strategies that target a specific person or small group of people. Both types of attack are often email-based and include information known to be of interest to the target.
Typically, the attacker's email is made to appear as if it was legitimately sent from the organizations' IT department or senior management — and the message usually contains a warning about major consequences if requested information is not provided.
Business Email Compromise (BEC) is one of the most financially lucrative crimes in the United States according to the F.B.I. This type of security exploit targets both businesses and individuals who perform legitimate transfer-of-funds requests. The type of cyber fraud involves spoofing a legitimate business email account in order to trick the victim into transferring money into an account controlled by the attacker.