Social
engineering
What is Social Engineering?
Social engineering is getting someone to do something they otherwise wouldn’t do.
It’s all about persuasion and can be very subtle. Rapport and reading feedback… understanding status. The key to successful social engineering is confidence.
A great social engineer can direct their thoughts, words and deeds to mirror any perception or character they wish to invoke (pretexting).
There are three main ways that people are typically socially engineered.
- Physical
- Voice
Why do anything technical when I can just ask a user for their password. Often, they’ll give it to me.
– Brian Self
Social Engineering Example
I could call up someone at the company and say: “Hi <insert name here>, I’m with the helpdesk. I’m trying to troubleshoot an issue and I’m hoping you can help me. Can you give me your username and password real quick so I can test?” You might be surprised how often this works. No identification, no need to prove that I am who I am they just trust me.
Within social engineering there’s also a physical component. This is where I put on my UPS shirt and hat. Then carry what appears to be a heavy box to a door and wait. Thus far every single time somebody has opened the door for me. After all who in their right mind, besides me, would put on a UPS shirt and just wait outside your door? We have some level of trust and believability if somebody has a UPS shirt on, right? When was the last time you asked to see ID for the FedEx or UPS person?
I have yet to have somebody asked me for identification when I’ve done this and I’ve walked into some very highly secured buildings without being challenged.
How to Protect Yourself from Social Engineering Scams
How to Recognize a Con Artist or Social Engineering Scam
Protect yourself by being curious. If something doesn’t feel or sound right, ask questions and realizing that you’re not too smart to be conned. Some con artists go after the super smart and affluent because they tend to be over-confident.
Social engineering is the number one aspect, the number one way that hackers, the black hats, the bad guys get access into organizations.
– Brian Self
Another component for social engineering is over the phone. We call it vishing. The V for voice instead of phishing its vishing.
To use our earlier helpdesk example in this context, I research my target before I make any calls. Once I identify a sales manager for an organization, let’s call him Dave, I could call up the help desk and say, “Hey, this is my first day on site. I’ve got this huge client that needs to see our latest product information on the intranet. I’m about ready to go into their office and I need VPN access setup. Dave said I should just call you and you’d set me up. This could make or break my quarter so if you can set me up ASAP that would be great.”
They will usually set me up, because they are the “help”desk. They are there to help.
Lastly is phishing.
Phishing is when you are tricked into doing something you shouldn’t via email (clicking on a link, running a program, providing login credentials, etc). One way of doing this is by masquerading as a company you are familiar with and mimicking the appearance of the corporate website. Amazon failed delivery emails are great for getting people to click on links, even when they haven’t ordered anything.
One of the best defenses from social engineering scams is to ask a lot of questions. I like the old adage of trust but verify.
Book Brian
Identify whether we’re a fit and check availability in only 15 minutes: 720-271-8221