Social engineering is a tactic used by cybercriminals to manipulate, influence, or deceive a victim into divulging sensitive information or performing ill-advised actions to gain control over a computer system or steal personal and financial information. Social engineering attacks happen in one or more steps, where the perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker uses a form of pretexting such as impersonation to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources. Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. Some common types of social engineering attacks include phishing, baiting, watering hole attacks, and physical social engineering attacks. Social engineering is attractive to cybercriminals because it enables them to access digital networks, devices, and accounts without having to do the difficult technical work of getting around firewalls, antivirus software, and other cybersecurity controls. Social engineering attacks are notoriously difficult to prevent because they rely on human error or weakness rather than technical or digital system vulnerabilities.