Social engineering is a surprisingly common way for scammers to obtain the information they need to log in to an organization’s network or gain access to secure areas, data, and information. It’s also a relatively low-tech approach because it focuses on human interactions rather than complex hacking techniques. Social engineers essentially attempt to fool an organization’s employees into helping them execute their scams.
You’ve no doubt seen a number of social engineering examples in movies and on TV. A common scene shows a person trying to fake their way into a military base late at night. The guard is suspicious, but then the visitor challenges, “The General knows I’m coming. If you want to wake him, give him a call.” Intimidated, the guard simply waves the visitor through.
But social engineering isn’t fiction. It’s happening in organizations worldwide, and too many times people don’t even know they’ve been scammed.
Here are some great examples of how social engineers gain access:
A woman in a courier uniform rushes into a reception area and says, “Hey, I really need to get this paperwork into the hands of your CFO. It’s time-sensitive and I got lost, so I’m already running late. They’ll have my head if I don’t get this delivered ASAP. Can you let me know where to go?”
When an unknown man is seen and questioned in a secure area, he hands over a business card and says, “Well, someone on your maintenance staff told me they needed immediate help clearing up your rodent problem. I can reschedule, but it’s going to be about three weeks before we can get back out here. It’s your call.”
Someone calls a member of the sales team and says, “Hey, it’s Bob Westerman from Accounting. I’m trying to work on the budget, but I can’t log into the network or my email. Can you send the latest sales report to my personal email at bobwest@gmail.com?”
All of these scenarios seem perfectly innocent, right? But all three have important warning signs:
Taking advantage of a helpful nature: The courier tries to make the receptionist feel sorry for her and want to help, a common trick of social engineers. In addition, by making the situation seem urgent, the courier hopes to get the receptionist to grant her access without thinking things through.
Implying authority to act: This is similar to the military base example in that the exterminator implies that he is authorized to be there and tries to intimidate the person who questions his presence. He uses a business card—and the threat of a long delay—to pressure the suspicious employee into accepting his story.
Pretending to be part of the team: This is a classic social engineering trick. Why? Because social engineers know it’s easy to pretend to be someone they’re not over the phone. Given the processes and workflow in an organization, Bob’s request might seem perfectly reasonable and believable. This sort of ruse is even easier in large organizations, where it’s impossible for employees to know all their co-workers.
BOTTOM LINE: Verify, Verify, Verify
It’s critical to understand how easily surface details can be faked to make a scam seem legitimate. Uniforms and business cards are inexpensive and easy to obtain; email addresses, phone numbers, and even caller IDs can be manipulated. And it’s easy for social engineers to find out—and then use—the real names of employees, vendors, and service providers. Be sure not to take these pieces of information at face value. Confirm that people are who they say they are and that they are authorized to receive the access they want.
Verifying information is a relatively simple step that can help prevent you from disclosing information you shouldn’t and falling victim to a social engineering attack. It’s harder to turn off the natural human tendency to trust people and offer help to those in need. Attackers use social psychology to influence behaviors, and they often make multiple contacts, building relationships and incrementally growing their requests for information over time. And they are generally very good at what they do.
This is why social engineering training is so important. Social engineering attacks circumvent certificates, passwords, anti-virus programs, encryption, and intrusion detection systems. Training can help you recognize common patterns in social engineering and protect you and your organization from falling victim to an attack.