Social engineering is a very low-tech form of a security attack. In fact, it doesn’t involve any technology at all. It involves someone else, who’s trying to gain access by using social engineering techniques. You never know exactly what the bad guys are gonna come up with next they’re always using different stories and different ideas to try to gain information from you, using those social engineering techniques.
Social engineering may involve one person trying to gain access, or it maybe multiple people and multiple organizations acting simultaneously.
They’re all coordinating their efforts and hoping that you’ll drop your shield and allow them access to anything that they might need. This might be done in person, over the phone, or it might be somebody who’s sending you an email electronically. Sometimes it’s somebody who’s being very aggressive on the phone and putting you in a very difficult situation.
These are ways that the bad guys are using to try to gain access without us even realizing that it’s happening. There are a number of principles associated with social engineering:
The first one we’ll talk about is Authority. Social engineer is the person who’s trying to gain access, so they’re going to pretend that they have some type of authority that allows them access to this information. They may say that they’re calling from the help-desk, that they’re with the police department or they might be with the office of the CEO and instantly it might make you think that you need to provide this information to them.
A principle used in social engineering is Intimidation. It may not be something that is directly focused on you. It may instead be a situation that is intimidating. They might say that bad things will happen if you don’t help, or it could be something as simple as saying that the payroll checks aren’t going to go out, unless they get this information from you.
Another principle that’s commonly used is called Consensus. You might also hear this referred to, as social proof. They’re using other people and what they’ve done, to try to justify what they’re doing. They’ll tell you that your co-worker was able to provide this information last week. They’re not in the office now so it’s something that maybe you could provide for them.
They will always tell you that you need to hurry.
Social engineers also like to have a clock that’s ticking. There needs to be Time Scarcity. This particular situation is only going to be this way for a certain amount of time. You have to be able to resolve this issue before this timer expires. If the person doing the social engineering can inject some type of urgency then they can make things move even faster. This needs to happen quickly, don’t even think about it. Just provide this information right now so that we can solve this problem.
Another technique that they use is one of Familiarity. They become your friend, they will talk about things that you like and by doing that, they make you familiar with them on the phone, and make you want to do things for them. Of course the social engineer is going to try to create trust between you and him. He’s going to try to tell you that he’s going to be able to solve all of your problems. He’s gonna be able to fix all of these issues. You just need to trust him and provide the information he’s asking.
That’s how multiple organisation have fallen victims of these relatively unsophisticated attacks. As long as people are aware that this can actually happen, the possibilities of an attacker actually succeeding, drop by a lot.