Humans are fundamentally social creatures, and we tend to be overly trusting in the digital world. This leaves people vulnerable to social engineering, a modern term for the oldest con in the book: exploiting human psychology, rather than relying solely on hacking techniques, to manipulate people into divulging confidential or personal information to be used for fraudulent purposes.
According to the 2020 Verizon Data Breach Investigations Report, 96% of social engineering attacks enter organizations through email inboxes. Types of social engineering attacks include:
Phishing: In a phishing attack, an attacker impersonates a legitimate user or institution and uses fear, urgency or curiosity to trick an employee into clicking malicious links, opening malware-laden attachments or handing over login credentials. Phishing attacks accounted for 22% of all breaches in 2019, according to the DBIR.
Pretexting: Pretexting is similar to phishing, except attackers instead attempt to build trust with their victims to persuade them to give up valuable information. The attacker usually pretends to be someone in a position of authority who has the right to access the sought-after information or who can help the victim.
Business email compromise attack: A business email compromise attack targets employees who have access to corporate funds and attempts to convince them into transferring money into an external account. When the attack targets a high-level corporate executive, such as a CEO or CFO, it's often referred to as a whaling attack.