Social engineering is normally a low-tech attack carried out by someone who is confident. It is where an attacker uses his (or her) social skills to engineer an attack. Whereas normally hackers go after technology, social engineering goes after people (staff). It is normally delivered by one of the following:
- Letter
- Phone
- In person
Most hackers or viruses go after technology and to some extent can be stopped with antivirus scanners, firewalls and encryption. Many companies spend a considerable amount on the digital equivalent of ten-foot security fences, including biometrics, firewalls, antivirus scanners and encryption, but fail where it matters most – human error. Paradoxically, advanced security software can often lead to a lax attitude towards security among staff but, as the old maxim goes, 'security is only as strong as its weakest link'.
How can it be prevented?
Mainly through employee IT security-awareness training which teaches staff to question, slow down and identity the end caller or visitor.
Real life story
In the summer of 2011 the phone rings at a IT security company. Every company receives cold calls but, after a few seconds, it seemed suspicious (social engineer). Funny how an IT security company receives a dodgy call.
- Caller: Is Mr. X in?
- Target: Speaking
- Caller: We have noticed your computer has errors and is slow at present
- Target: Which one?
- Caller: Don’t know, Mr. X owns it?
- Target: Ahh
- Caller: No worries, go to Windows event viewer
- Target: I’m there and I see critical errors
- Caller: They slow computers down
- Target: Ahh, how do I remove them?
- Caller: Run TeamViewer (remote access software)
- Target: Got it, now what?
- Caller: Give me the temporary password
- Target: It is ......
- Caller: Great, I’m connected (not a main company computer, of course, just a test PC)
- Target: Yes, I see errors
- Caller : Just transferring a scanner programme
- Target: Ends call and the connection is cancelled when transfer starts
- Why would a total stranger know there are errors on a computer?
- How did the caller know the spec of the PC?
- Why would a stranger offer free help?
- My computer seems fine so why did he call?
- UK business address, phone number and SSL website certificate does not always mean they are legitimate
Probably to sell bogus software, remote IT-support or, worse still, install a trojan to gain access remotely afterwards. A genuine IT support company or an in-house department would not do this.