A computer and network could have every possible protection but the most difficult vulnerability to fix is us (humans). Social Engineering is convincing a user to compromise the security of a computer or network For example: Tricking a user to use a USB Flash drive which has a virus or calling someone up to trick them into giving them remote access to a computer. There are four types of Social Engineering: Phishing, Pre-texting, Baiting and Quid Pro Quo
Phishing is an example of Social Engineering where the attacker sends out e-mails pretending to be a trustworthy company or person. The e-mail will try to convince the user to click a link and this may lead to a page with a virus download or a website which attempts to trick the user into giving up personal information.
With Pre-texting, an attacker will manipulate a victim by telling them a story as to why they need to divulge information. The story is used to help the attacker gain the victims trust. Examples:
Baiting is where a hacker will use a false promise to entice a user into giving up information or into installing malware. For example: Leaving USB drives outside buildings in the hope that one will be taken inside and plugged into a computer
An attacker will offer an exchange often information in exchange for money. Usually the attacker will not pay the victim - remember if an offer seems too good to be true it probably is!
The best way to defend against Social Engineering within an organisation is through the use of an Acceptable Use Policy (AUP). The AUP is a document which contains a set of common rules and procedures. Typically within an organisation everyone using IT equipment have to agree to and abide by the AUP.