WHAT IS SOCIAL ENGINEERING?
Basically, social engineering is a con game to get individuals to divulge valuable information and/or transfer funds. Put another way, social engineering is the act of influencing people to disclose information and causing them to act inappropriately. Also called “human hacking” and is known by criminals to be much easier than computer hacking, as mentioned in Christopher Hadnagy’s book “Social Engineering.” These con artists use several methods of communication to perpetrate their schemes including email, the internet, telephone, and face-to-face interactions. It has been determined that humans are the weakest link in the security chain. The only purpose for Social Engineering is to gain personal information to appear to be someone that is authorized to transfer funds or authorized to request that someone within the organization transfer funds.
TYPES OF SOCIAL ENGINEERING TACTICS
- IMPERSONATION/PRETEXTING: When using this scheme, the criminal devises a clever story to engage the target in discussions that increase the likelihood that the target will divulge personal information, (Social Security number, Date of Birth, log on credentials), about themselves, their employer, or clients. The criminal poses as an authoritative figure that has a right to the information. An example is a criminal impersonating an IRS agent who calls someone and requests personal information (Social Security Number, Date of Birth, Bank Account Information).
- PHISHING: This involves sending emails that appear legitimate from well-known banks, credit card companies, or retailers. These email request private information, and normally state that something negative will occur if the private information is not sent. Once the information is sent by the victim, the thief can then access the funds in a bank account, take out loans, or use credit cards.
- BAITING: This type of scheme plays upon the curiosity or greed of an individual. This is done by leaving removable memory devices, such as external hard drives, in a location where it can be easily found. The device is labeled with an official looking emblem, and a title that would cause someone to want to know what information was saved on the device (for example “Employee Salary Summary” or “Company Financials”). An employee that finds the device is then prone to insert it into a computer to view the information, and by doing so installs malware that may allow the criminal access to the a company’s computer network. From that point information can be used to transfer funds or communicate with others within the company to transfer funds to an account owned by the criminal. Baiting can also be achieved when a criminal sends an invitation to install attractive/free software that is actually malware (for instance, free computer games).
- QUID PRO QUO: When using this method, a criminal calls employees within a targeted company stating that they are returning a telephone call requesting tech support. The criminal hopes to eventually contact an employee that has a computer problem, and then requests the employee’s log on credentials. This then provides access to the computer system and malware can be installed. Studies have shown that employees are willing to provide log on credentials without hesitation.
- TAILGATING: Using this technique, the criminal seeks to enter a business in order to attain access to computers and electronic information. They do this by following a legitimate employee that has a key or electronic key fob. The legitimate employee may hold the door open out of courtesy or the criminal may request that the employee hold the door open.
- IVR/PHONE PHISHING: Using recorded calls to sound like a legitimate message from a bank or financial institution requesting that the recipient respond in order to verify confidential information.
- TRASH COVER/FORENSIC RECOVERY: Criminals collect information from discarded materials (discarded hard drives, software, thumb drives) and paper documents that are discarded.