Social engineering in its most basic form is described as the art of psychological manipulation. It is generally associated with the context of security where a person is manipulated to perform a certain action or divulge confidential information. It could also be something as simple as breach of trust, confidence trick or a simple fraud.
There are many forms of social engineering and are generally associated with human decision-making. These acts typically occur when “bugs in the human hardware,” are exploited in various combinations to create an attack.
Here are a few to watch out for:
By far the most popular social engineering technique, it is an act of fraudulently obtaining private information. Usually, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting “verification” of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card’s PIN.
It is the act of creating and using an invented scenario (the pretext) to engage a victim in a way that increases the chance the victim will reveal information or perform certain actions. It most often involves some prior research or setup and the use of this information for imitation (e.g., date of birth, Social Security Number, etc) to establish legitimacy in the mind of the targeted victim. This technique is used to fool a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records and other information directly from company service representatives.
This technique has been widely used in developed and underdeveloped countries. It uses physical media and relies on the curiosity or greed of the victim. Typically, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (elevator, bathroom , sidewalk, parking lot), gives it a legitimate looking and simply waits for the victim to use the device.
This act involves an attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access, hence the term “tail” gating.
With the coming of technology and systems, it is highly important for all entrepreneurs to secure their business and day-to-day transactions from such acts of confidence tricking and fraud. As a business, have you educated your employees recently on what information is safe to divulge and to whom they can divulge it? Understanding social engineering techniques can help you develop a plan for how to protect your business. Recognize the signs and protect yourself before it is too late!