What Is Social Engineering? Social Engineering Examples

After all, gullible employees lead to security breaches.

Humans want to trust other humans. If I struck up a conversation with a gentleman in a suit at the bus stop who explained his life story, why would I distrust him?

What is social engineering?

Social engineering is a way of manipulating people socially so that they trust the social engineer and eventually provide some sort of useable data. For instance, instead of trying to find software vulnerabilities to exploit for sensitive data, a social engineer might try to trick someone into divulging an administrative password without realizing it.

Have you ever seen the crime drama Catch Me If You Can? Frank Abagnale, the main character, is a master of social engineering. He convinces people he’s an airline pilot, doctor, and attorney by forging documents and acting like he belongs. The scary thing is, it’s a true story.

See also: White Paper: 5 Tips to Train Your Workforce on Social Engineering

What’s the problem with social engineering?

‍Here are some common social engineering examples

• Steal badges and credentials in unlocked cars
• Go to the local donation store and buy old company T-shirts
• Pose as janitorial staff to get into a building
• “Can you hold the door for me? I don’t have my badge.”
• Pose as an IT person that needs to fix the network
• Try unlocked doors around the backside of buildings
• Pose as law enforcement conducting an inspection
• Dumpster dive for sensitive documents

‍Here’s what happens when I try to socially engineer someone.‍

How to avoid being a victim

The best way to avoid being socially engineered is by educating yourself and your employees. Here are some points you should touch on during training:

• You should be slightly paranoid (better to be safe than sorry)
• Social engineers don’t sneak around. They’re confident and friendly. They look like they belong. Don’t be pressured by their convincing ways.
• Never give out your username/password, badge, PIN, ID number, credit card, or schedule. In essence, never give out sensitive information about you or your company.
• Ask for a contact to verify why the person needs the information they’re asking for
• Don’t hold secure doors open for people you don’t know

The only way to identify if your employees have soaked in all that knowledge is to test them. You can don a disguise and test them yourself, or enlist the help of a professional (also called a pen tester), to come onsite and test your employees, experiment with your physical security, and see what interesting information they can find in your trash cans.