Social engineering is a surprisingly common way for scammers to obtain the information they need to log in to an organization鈥檚 network or gain access to secure areas, data, and information. It鈥檚 also a relatively low-tech approach because it focuses on human interactions rather than complex hacking techniques. Social engineers essentially attempt to fool an organization鈥檚 employees into helping them execute their scams.听
You鈥檝e no doubt seen a number of social engineering examples in movies and on TV. A common scene shows a person trying to fake their way into a military base late at night. The guard is suspicious, but then the visitor challenges, 鈥淭he General knows I鈥檓 coming. If you want to wake him, give him a call.鈥 Intimidated, the guard simply waves the visitor through.听
But social engineering isn鈥檛 fiction. It鈥檚 happening in organizations worldwide, and too many times people don鈥檛 even know they鈥檝e been scammed.听
听
听Here are some great examples of how social engineers gain access:听
A woman in a courier uniform rushes into a reception area and says, 鈥淗ey, I really need to get this paperwork into the hands of your CFO. It鈥檚 time-sensitive and I got lost, so I鈥檓 already running late. They鈥檒l have my head if I don鈥檛 get this delivered ASAP. Can you let me know where to go?鈥澨
When an unknown man is seen and questioned in a secure area, he hands over a business card and says, 鈥淲ell, someone on your maintenance staff told me they needed immediate help clearing up your rodent problem. I can reschedule, but it鈥檚 going to be about three weeks before we can get back out here. It鈥檚 your call.鈥澨
Someone calls a member of the sales team and says, 鈥淗ey, it鈥檚 Bob Westerman from Accounting. I鈥檓 trying to work on the budget, but I can鈥檛 log into the network or my email. Can you send the latest sales report to my personal email at bobwest@gmail.com?鈥澨
All of these scenarios seem perfectly innocent, right? But all three have important warning signs:听
Taking advantage of a helpful nature: The courier tries to make the receptionist feel sorry for her and want to help, a common trick of social engineers. In addition, by making the situation seem urgent, the courier hopes to get the receptionist to grant her access without thinking things through.听
Implying authority to act: This is similar to the military base example in that the exterminator implies that he is authorized to be there and tries to intimidate the person who questions his presence. He uses a business card鈥攁nd the threat of a long delay鈥攖o pressure the suspicious employee into accepting his story.听
Pretending to be part of the team: This is a classic social engineering trick. Why? Because social engineers know it鈥檚 easy to pretend to be someone they鈥檙e not over the phone. Given the processes and workflow in an organization, Bob鈥檚 request might seem perfectly reasonable and believable. This sort of ruse is even easier in large organizations, where it鈥檚 impossible for employees to know all their co-workers.听
听
听BOTTOM LINE: Verify, Verify, Verify听
It鈥檚 critical to understand how easily surface details can be faked to make a scam seem legitimate. Uniforms and business cards are inexpensive and easy to obtain; email addresses, phone numbers, and even caller IDs can be manipulated. And it鈥檚 easy for social engineers to find out鈥攁nd then use鈥攖he real names of employees, vendors, and service providers. Be sure not to take these pieces of information at face value. Confirm that people are who they say they are and that they are authorized to receive the access they want.听
Verifying information is a relatively simple step that can help prevent you from disclosing information you shouldn鈥檛 and falling victim to a social engineering attack. It鈥檚 harder to turn off the natural human tendency to trust people and offer help to those in need. Attackers use social psychology to influence behaviors, and they often make multiple contacts, building relationships and incrementally growing their requests for information over time. And they are generally very good at what they do.听
This is why social engineering training is so important. Social engineering attacks circumvent certificates, passwords, anti-virus programs, encryption, and intrusion detection systems. Training can help you recognize common patterns in social engineering and protect you and your organization from falling victim to an attack.