Get ready because we're about to dive into one of the least technical but most disturbing attacks that can be done, social engineering. Social engineering is an attack method that relies heavily on interactions with humans instead of computers. You can harden your defenses as much as you want. You can spend millions of dollars on State of the Art Security Infrastructure. But if Susan the systems administrator has all the access to your system, and gets tricked into handling over her credentials, there's nothing you can do to stop it. As we've learned from the greatest sci-fi movies, humans will always be the weakest link in life, and in your security system. Social engineering is a kind of con game where attackers use deceptive techniques to gain access to personal information. They then try to have a user execute something, and basically scam a victim into doing that thing. A popular type of social engineering attack is a phishing attack. Phishing usually occurs when a malicious email is sent to a victim disguised as something legitimate. One common phishing attack is an email, saying your bank account has been compromised. And then, gives you a link to click on to reset your password. When you go to the link, it looks like your bank's website but it's actually a fake website. So you're tricked into entering your current password and credentials in order to reset your current password. Another variation of phishing is spear phishing. Both phishing schemes have the same end goals, but spearfishing specifically targets individual or group. The fake emails may contain some personal information like your name, or the names of friends or family. So they seem more trustworthy. Another popular social engineering attack is email spoofing. Spoofing is when a source is masquerading around as something else. Think of an email spoof. This is what happens when you receive an email with a misleading sender address. You can send an email and have it appear to come from anywhere you want, whether it exists or not. Imagine if you open that email you thought was from your friend Brian. Brian's real email address is in the front part and the email says that you have to check out this funny link. Well, you know Brian. He's pretty awesome and he always said super funny emails, so you click on the link. Suddenly, you have malware installed. And you're probably not feeling so awesome about Brian right now. Not all social engineering occurs digitally. In fact, one attack happens through actual physical contact. This is called baiting, which is used to entice a victim to do something. For example, an attacker could just leave a USB drive somewhere in hopes that someone out there will plug it into their machine to see what's on it. But they've just installed malware on the machine without even knowing it. Another popular attack that can occur offline is called tailgating, which is essentially gaining access into a restricted area or building by following a real employee in. In most corporate environments, building access is restricted through the use of a keycard or some other entry method. But a tailgater could use social engineering tactics to trick an employee into thinking that they're there for a legitimate reason like doing maintenance on the building, or delivering packages. Once a tailgater is in, they have physical access to your corporate assets. Pretty scary stuff we've covered so far huh? I bet you didn't realize that there were so many ways to compromise security. Hopefully, you've gained a better grasp on the common attacks out there, and signs and what to look for. Now that you've been exposed to the fundamental types of security threats, we'll dive deep into best practices for security and how to create technical implementations for secure systems. But first up, we're going to test your knowledge with a quiz covering the different attacks we've talked about in this module.