Social Engineering

What is Social Engineering?

Social Engineering is basically tricking people into revealing their personal information, passwords or other information that can compromise system security. A classic social engineering trick technique is for a hacker to make telephone calls or to send emails claiming to be a Help Desk technician, a system administrator or important management personnel.

The following are some examples of social engineering:

By telephone – The caller pretends to be someone in authority or someone needing assistance. The caller attempts to get you to reveal your logon information, information about your system or software, information about your organization’s staff or structure, etc. They may even attempt to get you to change your password to something they suggest, open an e-mail attachment they will send you, or visit a certain web site.

By e-mail – The sender pretends to be someone in authority or someone needing assistance, and sends an e-mail message to you requesting you to forward sensitive but unclassified (SBU) information via e-mail.



In person – A person walks through your office looking for sensitive information at desks, printers, fax machines, desktops, computer screens, etc. Social Engineering can also be done at Trade Shows/Conferences such as when you exchange information. They may also directly request the sort of information mentioned in the “By telephone” and “By e-mail” sections above.

In writing – A document transmitted via postal mail, inter-office mail, hand delivered, etc. can be used for social engineering.

On the Internet – Phishing (pronounced “fishing”) is a scam that uses links to the Internet to deceive users into disclosing personal information for the purpose of identity theft. Identity theft is the illegal use of another’s personal information in order to steal money from their personal accounts and commit fraud while impersonating the person whose identity was stolen. It often starts with e-mail that appears to come from legitimate companies or organizations (e.g., Employee Express, Citibank, AOL, etc.) and contains links to their official web sites. In fact, the e-mails are sent by criminals and link users to fake web sites, where they are asked to provide information like account numbers, PINs, Social Security numbers, etc. that will be used to commit identity theft.

In the trash – Dumpster diving is the recovery of information from paper products or electronic media that has been discarded.