Social engineering is one the most overlooked security threats in existence today. Since the advent of the internet, social engineering has been used to gain access to private networks, hijack machines, steal sensitive information and compromise system integrity. It is one of the most common security threats yet most business owners and employees are woefully ignorant of this threat and how to guard against it.
So what is social engineering and how does it happen?
Social engineering is the art of manipulating people (often verbally or in writing) so that they release sensitive information willingly. This can happen both online and offline.
Some social engineering methods are well known. Ask someone today what phishing is and they’ll likely respond that it’s when someone sends you an email pretending to be a company in order to gain a password or credit card information. They might also say it’s when you put bait on a hook and throw it into a body of water in order to catch fish. Either way, the principle is the same. The end user is the body of water and the social engineers are the ones baiting the hook.
But what about offline social engineers?
Many businesses are far more inclined to trust someone calling them on the phone or walking through their front door than they are to trust an email. These are the most dangerous social engineers. If you’ve ever seen the movie Hackers or heard of Kevin Mitnick, you’ve seen how social engineering works. But do you know how to identify a social engineering attack if it happens to you?
Common Social Engineering Attack Scenarios:
Believe it or not, a social engineering attack can occur as a result of one piece of information leaked to a potential threat. Example:
- A person calls your business line posing as a trusted co-worker or authority figure and asks for information.
- Your workplace has an access card in order to enter. Someone rushes up to you with their hands full and says, “Can you hold the door for me?” or they simply ask you to hold the door, claiming, “I forgot my access card.”
- You go out for a smoke break. While you have the door open, another person who was “also on their smoke break” takes advantage of the open door and enters the building. Because they are in a company designated break area, most employees never think twice. Or the person smokes a cigarette with you then “tailgates” back in the door with you, usually chatting the entire time (to keep you distracted and unaware of course).
Major Social Engineering Attack Scenarios:
Some social engineering attacks are a bit more involved, however. These usually involve higher value targets. These are very planned, long-range attacks where the hacker (hacking doesn’t always involve computers) does their research, watches, and waits. While these examples may be rare, they do happen. Be on the lookout!
- A person in uniform enters your establishment and requests access to a non-public area. They might even have a badge or ID. Most often they will take advantage of a time they know the owner won’t be present. They might even use the owner’s name (name dropping) in order to get you trust them. The combination of name dropping and being in uniform (especially if they have a fake badge or ID) is usually enough to persuade any employee that they are legit.
- Your company suddenly has a “new employee” who shows up when the boss is gone. Most likely they are wearing the same uniform you are (or adhering to the same dress code). Because they are “new” they won’t have any passwords, access codes or key cards like a normal employee would and might say things like, “I’m new so I don’t have a login yet – can I just use yours?” This is most effective in small businesses which employ enough people to have shifts and/or where the same employees don’t work every day. If a new employee shows up that you weren’t expecting, call your boss ASAP to confirm their identity.
The bottom line is that social engineers are confident, in control of the situation and take advantage of the fact that most businesses would never suspect an attack right under their nose. Security guards don’t look for badges, they look for posture and body language. But a social engineer knows how to be confident and blend in with the natural environment.
The important thing to realize here is that social engineering is a game of intense patience, skill, psychology, and research. Chances are you’ve been social engineered dozens of times by a calm, confident, smooth talker who was able to get you to tell them what they wanted to know. Where do you live? Do you have kids? Pets? A spouse? Where did you grow up? What’s your favorite food?
The list could go on and on. Do you recognize what those questions can lead to? If you guessed security validation questions, you’re right! You know, when you sign up for an account and it asks you for those three security related questions in case you lose your password? Yep – you just gave it all away and had no idea.
So stay guarded my friends and be on the lookout for people who seem out of place or who ask a lot of questions. If they are the ones asking questions, they are in control.