Social engineering happens when someone uses manipulation, influence or deception to get another person to release information or to perform some sort of action that benefits a hacker. Hackers will often take advantage of genuine security gaps in your network. But at organisations of any size, layers of sophisticated computer security can be undone in seconds because one employee – whether because of trust, lack of awareness, or carelessness – reveals company information to someone with malicious intent.
Employees could be tricked into anything, from allowing someone to physically follow them into your data centre to giving up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, this includes:
- Personal Info – passwords, account numbers
- Company Info – phone lists, identity badges
- Server Info – servers, networks, non-public URLs
Understanding the social engineering techniques used
So, how do you defend against such tactics? Well, familiarising yourself with social engineering techniques is your first line of defence. So, what does a social engineer actually sound like? You might believe that social engineers would be easy to spot. But often enough, they sound like people you run into at work every day. Below are a number of common scenarios that your staff could encounter:
- On the phone – “This is Kevin from IT. We’ve been notified of a virus on your department’s machines.” This is one of the most common scams where a hacker poses as an IT help desk worker to glean sensitive info such as a password from an unsuspecting employee.
- At the reception desk – “Hi, I’m the service tech from HP and I think Ellen is expecting me at 1pm.” This is why it’s so important that well-meaning staff members and other insiders need to be educated as to how and why they could be targeted and what to do if they suspect a potential threat.
- At the building entrance – “Oh! Wait, could you please hold the door? I left my key/access card in my car.” People want to be helpful, and they often downplay the risks of engaging with someone they don’t know—and that can be a perilous mix.
In our next article on this topic we will look at defending against social engineering attacks.