Scribd
Upload
51 views

Social Engineering

Social engineering, or "people hacking", involves tricking people into providing sensitive information through deception. Some common social engineering techniques include pretending to be IT support in need of login credentials, or posing as a coworker or family member to gain access to accounts. Kevin Mitnick described using social engineering to hack networks and phone systems. To prevent social engineering, organizations should educate employees, use security measures like authentication codes, be wary of unseen callers, employ security guards, shred documents, and properly dispose of equipment.

Uploaded by

Kal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
51 views

Social Engineering

Social engineering, or "people hacking", involves tricking people into providing sensitive information through deception. Some common social engineering techniques include pretending to be IT support in need of login credentials, or posing as a coworker or family member to gain access to accounts. Kevin Mitnick described using social engineering to hack networks and phone systems. To prevent social engineering, organizations should educate employees, use security measures like authentication codes, be wary of unseen callers, employ security guards, shred documents, and properly dispose of equipment.

Uploaded by

Kal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Social engineering

Updated: 03/12/2022 by Computer Hope

Social engineering or people hacking is the act of tricking a person by an


act of deception. For example, someone could call a business and trick an
employee into thinking they are from IT. Then, they could ask the individual
to confirm their password so they can access to the network or visit a web
page so they can steal information.

Tip

In his book, Ghost in the Wires: My Adventures as the World's Most


Wanted Hacker, Kevin Mitnick described how he used social
engineering to gain unauthorized access to networks and phone
systems. See: What computer books would you recommend reading?

Social engineering examples


Below are examples of how someone could use social engineering to
access your network, steal confidential information, or get something
for free.

 Fellow employee - Pretending to be a fellow employee who is


having problems accessing their account and needs a security,
login, or other account details.
 Fake IT - Fake IT support requesting remote access to a
computer because of a fake problem or security threat.
 Pretend Spouse - Pretend to be a spouse calling a company
about problems accessing their spouse's account and needing
account details.
 Bogus student - Bogus student calling support staff indicating a
website is not working. When a staff member visits the supposed
problem page, it gathers computer and network information or
tries to infect that computer with a trojan or other malware.
 Fake customer - Fake disgruntled customer complaining about
products they didn't purchase who demand a refund or
compensation without proof of purchase.
 Pretend maintenance man - Someone prints a pretend badge
that gives the appearance they are a repairman who is visiting to
fix a computer, printer, phone, or another system. After gaining
access to the building, they can access confidential documents or
computers that would allow them access to the network.
 Fake client - An e-mail from a fake client that sends a business
proposal with an attachment containing malware used to gain
remote access.
 Malicious USB or CD - Leaving a USB flash drive or CD with
malware in a company parking lot with an attractive label to get
someone to plug it into their computer. For example, an infected
USB flash drive that says "Payroll" on the drive.
 Swatting - Pretending to be someone in danger when calling the
police department to get them to send the S.W.A.T. team to
someone's house.

Preventing social engineering attacks


Education

All employees, staff, students, or family members on the same


network need to know all of the potential threats they may face. It's
important that anyone else who may have remote access, such as a
third-party IT company or contractors, also be educated.

Security measures

Most companies have (or should have) security measures, such as a


code that is required to access account details. If a customer or
someone calling saying they're the customer cannot produce that
information, the account details should not be given to them over the
phone. Providing the information to avoid conflict with the customer
would result in an employee immediately losing their job.

Always be wary of what you cannot see

Most of the social engineering attacks are over the phone, e-mail, or
other forms of communication that do not require face to face
communication. If you cannot see whom you are talking to, assume
the person you're talking to may not be who they say they are.

Security or front desk

Not all social engineering attacks happen over the phone or the
Internet. An attacker could also visit the company with a pretend
badge or form of identification. Every business should have a front
desk or security guard who is also aware of all security threats and
knows no one can pass without proper authorization. They should also
realize that if these precautions are ignored (e.g., someone says they
forgot their badge) that it would result in them losing their job.

It's also a good idea to have more sensitive areas, like a server room,
require additional security, like a badge reader, that only allows
authorized employees to access the room. Also, employees that access
a building or room using a badge should realize they too should not
allow anyone to come through the door at the same time as them.

Finally, keep all entrances to a building safe. For example, if a


business has a smoking door where people go out for a smoke break,
it should be protected and watched. Someone could pretend to be an
employee out smoking and enter when other smokers come out.

Shred
Some people are not afraid to dumpster dive to find confidential
company information or other information that would allow them
access to a network. Any papers your employees throw away should
be shredded.

Properly discard company equipment

Make sure any equipment is properly destroyed or discarded. Most


people may realize that a computer hard drive (even when erased)
may have sensitive data that can be recovered. However, not many
people know that devices like copiers, printers, and fax machines also
contain storage and that sensitive data can also be recovered from
these devices. Unless you feel it is safe that someone reads everything
you've ever printed, scanned, or faxed (not likely), make sure to
discard the device.

You might also like