Social Engineering

Social Engineering describes methods of influencing people with the goal of illegally obtaining sensitive data (e.g. passwords, credit card information). Social Engineers observe the personal environment of their victims and use fake identities to gain secret information or free services. In most cases Social Engineering is used to infiltrate third party computer systems to spy on sensitive data; in that case social engineering is also called Social Hacking.

An early form of social engineering first appeared in the 1980’s and was named phreaking. Phreakers called phone companies and claimed to be system administrators and asked for passwords which they used to connect illegally and free of charge to the internet. A more modern form of social engineering is called phishing. Phishers pose as corporate and public administrators and request password information from the target organization’s user base.

The most common form of phishing is called ‘fraud mailing,’ where the victim is sent a fake e-mail, usually from their bank. The letter includes a link that redirects the victim to a fake website to login to their account.

The main mode of social engineering however, is still faked phone calls: the social engineer calls employees of a company and impersonates a technician who needs sensitive data to complete important technical operations. In advance the attacker has gathered information about work routines of the target company from public sources or former raid attempts. The invader tries to confuse his victims and to seem trustful, using trade language and involving the victims in small talk. Further the assaulter pretends authority to frighten his victims. In some cases the employee actually requested technical support and is expecting such a phone call.

The prevention of social engineering is difficult. The invader abuses typical human behavior like helpfulness in emergency situations, and general mistrust would disturb the efficient and trustful team work of an organization. The most effective way to avoid social engineering is to assure the identity of the caller. This can already be done by asking for the caller’s name and phone number and to politely ask for patience, even if the caller’s issue seems to be very urgent.

Well known social engineers include Kevin Mitnick,who became one of the most wanted persons of the United States of America because of successfully invading government systems such as the Pentagon and the NSA, and Frank Abagnale, who was the subject of the film ‘Catch Me If You Can.’

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.