Let's face it: Social engineering -- attacking an organization through deception by "tricking" internal users into sharing inappropriate levels of access -- isn't a topic that comes up very much in most IT shops. This isn't because social engineering is ineffective or because organizations aren't susceptible to it. To the contrary: Although direct, quantifiable evidence about social engineering is difficult to come by, what statistics we do have suggest that success rates for social engineering attacks are disproportionately high.