Social engineering is not a new concept that belongs in the 21 century. Ever since the Turks wheeled that wretched horse in tough the gates of Troy, social engineering tactics have proliferated throughout the world and become widely popular.
What is specific to our century however, is the ability of criminals to use these social engineering techniques in the digital landscape. In most cases, it is incredibly more simple to infiltrate networks and get access to private information though a well-placed phone call to an unsuspecting employee than to spend hours sifting through code in an attempt to access the same information through hacking.
For our purpose, we will describe social engineering as any technique that tries to get around a security system by exploiting its human vulnerabilities rather than breaking into the system itself. Your sophisticated information security solutions and all the technology in the world cannot protect your business from the human problem and associated risk involved with giving your staff access to critical and necessary data.
When it comes to social engineering, there is no end to the number or variety of social engineering techniques, all of which are effective in their own way because people tend to respond to certain psychological triggers in predictable ways. There is a tool for every job, and the techniques involved range from the incredibly simple to particularly artful and sophisticated. Truly committed conmen even study psychology and cognitive science to lean more effective ways of exploiting people’s natural (pesky) tendency to trust.
5 common Social Engineering techniques
1. Don’t I know you?
This technique is known as the corner stone of social engineering, and involves the conman pretending that he has a perfectly normal reason to be somewhere (where he shouldn’t). This may involve conmen becoming familiar with and to people within the organisation they wishes to infiltrate and acting like they belong. This method works because, in general, people are more comfortable interacting with and fulfilling requests of people they are familiar with than of perfect strangers.
2. Anger management
Not wishing to get caught up in the drama, people go out of their way to avoid angry or upset individuals. Because of this, these individuals are much less likely to be stopped and questioned, making this the perfect technique for getting conmen though areas where they are likely to get stopped such as security checkpoints. Here conmen pretend to have an angry confrontation on the phone, with an accomplice or even heatedly mumble to themselves as if still recovering from an argument.
3. Dumpster diving (or One man’s trash)
A lot of success of social engineering is owed to the simple technique of information gathering, as the more information someone has on you the easier the con becomes. Information can come from multiple sources, including a simple internet search and browse through your social media presence, to good old fashioned but equally as effective (if not more) dumpster diving.
4. Career criminal
This technique is for the truly committed and effective if the reward is worth the risk. It entails a conman getting a job in the organisation he is intending to infiltrate. Even today, hiring managers are unequipped and untrained to spot the signs that they may be hiring someone with malicious intent. Once the conman is through the door, the world is his oyster. Even people in the lowest positions are automatically more trusted, and the gained camaraderie opens even the toughest of doors.
5. Poker face
This method involves reading and responding to the body language of the target.
Conmen build rapport with their marks by smiling at the appropriate times, exhibiting empathy, and making their targets feel at ease. If done correctly, this technique reaps rich rewards. It makes people want to help the conman and what’s more, they will feel good about doing so. They will be too busy giving themselves the proverbial pat on the back, so to speak, instead of wisely questing “Why on earth did I just give that guy access to our datacenter?”
So how can you prevent ‘people hacking’?
At the corporate level the best defence you have against social engineering exploits is thorough training of personnel, making sure they are aware of the risks and methods that may be employed against them.
For individuals, defence methods includes include enabling two-step verification, strengthening passwords, and rethinking security questions. Because, let’s face it, your mother’s maiden name is not as secret as you may think. You should also review your privacy settings and browsing habits, not only on your social media profiles but of any site where your name and picture may appear. Finally, and probably most importantly, don’t trust people on the internet, on the phone, or even in face-to-face scenarios unless you are absolutely sure that they are who they say they are.