# Social engineering "Social engineering" is using information about the person to get them to trust them. This can often include exploiting someone's willingness to help or get help. Social engineer hackers are often *very* patient. They'll spy on someone for weeks and months to check for the following: 1. Something of [value](purpose.md) they can theoretically attain. 2. [Routine behavior](habits.md) that they can exploit. There are many forms of social engineering: - "Phishing" involves sending fake information (usually an email) that looks legitimate. - Standard phishing, like [cold-call sales](marketing-sales.md), sends out many emails at once to get anyone gullible enough to give information. - "Spear phishing" is a highly sophisticated version of it that targets one person, usually with plenty of personal information. - CEO fraud and government phishing uses an official-looking email address (e.g., a CEO's company website, a government bureau). - Clone phishing copies a legitimate message with an attachment and sends an identical one with a virus instead. - Cloud phishing sends a link to a cloud service to download a seemingly legitimate file. - "Pretexting" uses subtle appeals to reliable sources to gain that person's trust ("I'm from the FBI..."). - "SEO poisoning" uses illegitimate techniques to rank higher on search engines ("search engine optimization") to get people to go to their website. - "Something for something" is giving something (usually free) to someone in exchange for their information. "Ransomware" is software designed to block off information until someone pays money. By transferring the money through [cryptocurrency](computers-blockchain.md), it can be difficult to trace the transaction. "Malvertising" is advertising designed to look like another legitimate product, but is actually [malware](computers-cysec-malware.md). ## Identity Theft Typically, in a modernized society, hackers only need *very* few pieces of information to [authenticate](computers-cysec-authentication.md) themselves as someone else: - Someone's full name, date of birth, and social security number are enough to fraudulently get a new [credit card](money-2_debt.md), [get insurance](money-insurance.md), secure a loan, and many other activities. - A few pieces of information from social media can guess someone's [password](encryption.md) security questions. "Sim swapping" is when a hacker can acquire a phone number's [two-factor authentication](computers-cysec-authentication.md) by authorizing a cell carrier with fraudulent information to migrate that phone number to another phone. Callers can clone voice recordings. - If you're unsure of the number, let it go to voicemail, then look it up before calling them back. - If that individual might be someone you know, send them a text message to be sure. - If you *do* answer, expect them to use your voice to [train a machine learning algorithm](computers-ai-ml.md).