At its core, social engineering is not a cyber attack. Instead, social engineering is all about the psychology of persuasion: It targets the mind like your old school grifter or con man. The aim is to gain the trust of targets, so they lower their guard, and then encourage them into taking unsafe actions such as divulging personal information or clicking on web links or opening attachments that may be malicious.
Phishing scams are the most common type of social engineering attack. They typically take the form of an email that looks as if it is from a legitimate source. Sometimes attackers will attempt to coerce the victim into giving away credit card information or other personal data. At other times, phishing emails are sent to obtain employee login information or other details for use in an advanced attack against their company. Cybercrime attacks such as advanced persistent threats (APTs) and ransomware often start with phishing attempts.
Other examples of phishing you might come across are spear phishing, which targets specific individuals instead of a wide group of people, and whaling, which targets high-profile executives or the C-suite.
In recent times, attackers have been taking advantage of the growth in software as a service (SaaS), such as Microsoft 365. These phishing campaigns usually take the form of a fake email that claims to be from Microsoft. The email contains a request that the user log in and reset their password because they haven't logged in recently, or claims there is a problem with the account that needs their attention. The URL is included, enticing the user to click and remedy the issue.
Watering hole attacks are a very targeted type of social engineering. An attacker will set a trap by compromising a website that is likely to be visited by a particular group of people, rather than targeting that group directly. An example is industry websites that are frequently visited by employees of a certain sector, such as energy or a public service. The perpetrators behind a watering hole attack will compromise the website and aim to catch out an individual from that target group. They are likely to carry out further attacks once that individual's data or device has been compromised.
Business email compromise (BEC) attacks are a form of email fraud where the attacker masquerades as a C-level executive and attempts to trick the recipient into performing their business function, for an illegitimate purpose, such as wiring them money. Sometimes they go as far as calling the individual and impersonating the executive.
When talking about cybersecurity, we also need to talk about the physical aspects of protecting data and assets. Certain people in your organization--such as help desk staff, receptionists, and frequent travelers--are more at risk from physical social engineering attacks, which happen in person.
Your organization should have effective physical security controls such as visitor logs, escort requirements, and background checks. Employees in positions at higher risk for social-engineering attacks may benefit from specialized training from physical social engineering attacks.
USB baiting sounds a bit unrealistic, but it happens more often than you might think. Essentially what happens is that cybercriminals install malware onto USB sticks and leave them in strategic places, hoping that someone will pick the USB up and plug it into a corporate environment, thereby unwittingly unleashing malicious code into their organization.