Which practice is best described as social engineering?

• A. Exploiting software vulnerabilities
• B. Launching DDoS attacks
• C. Deceiving people into revealing confidential information
• D. Installing malware via legitimate updates

Answer: (C)

Social engineering focuses on people rather than technical flaws, using manipulation to get someone to reveal information or take an action they shouldn’t. The scenario described fits this approach: deceiving individuals into sharing confidential data, often through tactics like phishing or pretexting that exploit trust and urgency. In contrast, exploiting software vulnerabilities is about weaknesses in the system itself, not about tricking people. Launching DDoS attacks targets availability by flooding a resource, not social interaction. While installing malware via legitimate updates could involve deception, the core idea in social engineering is convincing a person to reveal secrets or credentials, making deception of individuals the most accurate description.