Social engineering is the attempt to manipulate or trick a person into providing information or access to a system's information, by bypassing network security. A social engineering compromise can provide information on background, credit rating, medical history, and driving record, most of which is confidential. Colleges and universities are sometimes targeted for social engineering compromises due to inexperience of large numbers of students serving as part-time employees.
System security, once thought of as a technical issue, now has human vulnerabilities. Connecting computers to networks significantly increases risk, and network security depends heavily on the cooperation of each user. Personal and social weaknesses are at the heart of social engineering, a significant source of compromise.
Below are some of the various social engineering tactics employed:
- Respect for authority- A social engineer can present him/herself as a high ranking member of the organization to get you do what they want.
- Pity for the new guy- Presenting themselves as a new employee that needs help or has messed up and needs to fix something is common for social engineers. Everyone remembers what it is like being new to a job how difficult it can be. Social engineer will pray on your common decency.
- Extreme urgancy- A social engineer may pose a situation as a matter of life or death or how they will lose their job if they cannot complete their task.
- Name dropping- Social engineers may talk about or mention other people in the company of organization. This is a method they use to gain their victims trust.
- And combinations of the above.
Examples of Social Engineering
Terms and examples below describe how individuals use social engineering to engage in confidentiality compromises used to their benefit.
Shoulder surfing is the practice of looking over one's shoulder as the user is working. Health status and personal records can be viewed if monitors are not appropriately placed in offices. It's easy to see over a colleague's shoulder as anyone is walking by a workstation.
Dumpster diving is the practice of looking through someone's trash for personal information. This is a prime technique for identity theft and attaining bank and credit records. Dumpster diving also is a good collection tool for obtaining information on company procedure or employees to utilize in a social engineering attack. It is important to shred all office documents that contain business related information such as names, phone numbers, and protocols.
Phishing is the method of sending emails requesting users to either click a link to a website or to submit some personal data. Many phishing attempts are of a high quality and can look like they come from your finacial institutions or jobs. For more information visit the phishing page.
Identity Theft is the crime of stealing someone's name and records to use as your own. An individual uses the information to open bank or credit accounts, obtain a new driver's license. Eventually the delinquent account, or unpaid moving violation is reported, or the victim is arrested. These crimes are very hard to prove, and even harder to catch the offender. In another scenario a thief can call a victim's credit card issuer and, pretending to be the victim, change the mailing address on the victim's credit card account. Then, run charges up on the victim's account. Because bills are being sent to the new address, the victim may not immediately realize there's a problem. In yet another scenario cellular phone service may be established or a bank account is opened in the victim's name and bad checks written to that account. For aditional information on identity theft prevention and what to do if your identity is stolen visit the identity theft page.
Human error lies at the root of most unauthorized access incidents. Few business functions occur in our society without the control or assistance of a computer. Any computer not secured on a network could be breached and any unauthorized intruder could be dangerous. If the computer manages sensitive information critical to people's lives or business, the intrusion threatens them as well.
The following web pages contain additional information on spotting and avoiding social engineers: