Social engineering is a fancy name for a plain old game: conning or tricking a person into giving out information that should be kept secure.  It’s called “social” because the hoax depends on interaction between people, rather than relying solely on technology.  Social engineers gain your trust to convince you that they are entitled to access information or areas that should be kept secure.  To beat the social engineers you have to understand the importance of the information in your possession and how they operate to get it from you.

When Helping Doesn’t Help

Everything our company has taught you about good customer service works against you when you meet a social engineer.  They are experts at playing on your desire to be helpful or to do what an authority asks. 

• You get a call from a sales person who’s on the road, stranded without a printer. He mentions the name of a co-worker who recommended that he call you to help get a sales presentation to a client. Can he email you the presentation to print and fax to the customer? When the expected attachment arrives, it contains a virus that causes damage to the network.
• The assistant to your regional manager asks for access to the equipment room. “It’s urgent,” he explains, “I need some information for the boss right away.” You’ve never met this person but you think the boss needs the info, so you allow him into the equipment room, providing access to a gold mine of information that can be used in future social engineering exploits.
• A new employee calls asking for help accessing the system.  She sounds helpless and frantic, and plays on your sympathy. Before you know it, she’s convinced you to provide her with your login and password.

You might think that you wouldn’t fall for this kind of scheme, but in the right situation, it’s hard to stay focused. Social engineers are very good actors.  You think you are helping, but in truth you’re providing a thief with information that could allow them to access our computer systems and open the door to fraud, identity theft, or other illegal and disruptive activities.

How Social Engineering Works

On the phone, social engineers usually have your name and seem to know others in your office. They might pretend to be someone important, providing just enough information to fool you into believing their story. Sophisticated social engineers may imitate voices, but the truth is they don't usually need to.  People who believe they’re talking to someone important will provide whatever they’re asked for. Social engineers can pull the same kind of scam via email, tricking you into sending passwords via email or opening dangerous attachments.

In person, social engineers seem to belong in the workplace posing as customers, buyers, maintenance workers, new employees, anything that fits. In a friendly, nonchalant way they impersonate, flatter, fit in, and gain trust.  Since no one feels threatened or suspicious, they are free to scout for information.  Usually, they are gone before you even realize you've been "engineered."

Protecting Yourself from the Engineers

Here are tips for protecting yourself from social engineering:

• Dispose of company information properly, even if it does not seem confidential or sensitive. Memos, company org charts, phone lists, and product or price lists can help the social engineer piece together a dangerous story.
• Never give your password to anyone in an email or over the phone. Provide it only in person to someone you know and trust. Be discrete about entering passwords or PINs or revealing phone numbers and names when you are in public view.
• Change your password often. Don’t use obvious passwords like the name of a child, pet, or spouse, and don’t use the same password for many different accounts.
• Be aware of strangers in your area. Question those without proper ID.
• If you suspect a social engineering attack, report the incident to your supervisor or to security.

The best way to prevent social engineering is to follow our company’s security policies.  All of us must understand that the information we possess, no matter how insignificant it seems, may be a puzzle piece that reveals the whole picture to a social engineer. 

Q&A

Early in the work day, I ran into a new associate.  She explained that she left her purse in the equipment room, with her keys and ID badge.  She was embarrassed at being so silly especially since she was brand new on the job.  What should I do?

Contact your manager for assistance. This person may be exactly who she claims to be, but social engineers are very good at creating a story that earns your sympathy. Allowing this person into the equipment room may give them the information they are seeking.

The system administrator from my head office called and asked me to test some new procedures.  In the process, she asked for my password so she could reset the system.  Should I give it to her?

No. The system administrator in our company will never ask you for a password over the phone.  You should only reveal passwords in person to someone you know and trust. Contact the system administrator or your supervisor and tell them about this incident.

I don’t work in a secured area so I don’t have access to sensitive information about our company’s systems.   I don’t really need to worry about social engineering, right?

Wrong! Hackers and social engineers will work to get small amounts of information from various places and people and fit the pieces together.  Social engineers will use seemingly innocent information such as names and phone numbers to gain the trust of others who might hold more important information. Every employee needs to be aware of the dangers of social engineering and remain vigilant.

Yesterday I had an encounter with a customer who asked a lot of questions about security procedures and our computer systems.  I’m used to dealing with grouchy customers, but this one was so nice I started to tell her everything she wanted to know.  Later I decided to call my manager to report the incident.  Was I being paranoid?

Not at all. Social engineers are usually overly friendly and flattering. But you need to be wary of anyone who is asking for information about security or the computer network. Your awareness in situations like this could prevent serious problems. 

###