Many attackers use social engineering to break into systems because it’s usually the easiest way for them to get what they’re looking for. They want someone to open the door to the organization so that they don’t have to break in and chance being caught. Security technologies such as firewalls, access controls, and authentication devices won’t stop a determined social engineer.
Most attackers perform social engineering attacks slowly to avoid suspicion. Social engineers gather bits of information over time and use the information to create a broader picture of the organization they’re trying to manipulate. Alternatively, some social engineering attacks can be performed with a quick phone call or e-mail. The methods used depend on the attacker’s style and abilities.
Attackers know that many organizations don’t have formal data classification programs, access control systems, incident response plans, or security awareness programs, and they take advantage of these weaknesses.
Attackers usually know a little about a lot of things, both inside and outside their target organizations, because this knowledge supports them in their efforts. The more information social engineers get about organizations, the simpler it is for them to act as employees or other trusted insiders. Social engineers’ knowledge and determination give them the upper hand over average employees who don’t recognize the value of the information that social engineers seek.