It Seems So Easy to Gain Access: Social Engineering

Published: January 12, 2005

Hackers use the term “social engineering” to describe the art of persuading people to divulge information, such as account names and passwords. This information can allow the hackers to then access a system or network. These methods depend on people skills rather than technical skills, since they exploit human nature rather than software or hardware vulnerabilities.

A good social engineer is an accomplished actor who tries to charm or intimidate network users into giving him sensitive information. Common ploys include pretending to be an organization executive or member of the IT staff, a fellow worker, or a member of an outside organization, such as a network consultant or phone company employee.

A survey by BBC News indicated that more than 70 percent of people who work with computers were willing to reveal their passwords and information that could be used to steal their identities. Information about the survey is available in the article "Passwords revealed by sweet deal".

Kevin Mitnick was one of the most famous hackers of the 1980s and 1990s, and served five years in prison for breaking into telephone and computer systems. He now lectures and writes about computer security, and says that social engineering is one of the most dangerous hacking techniques because the best technology in the world cannot defend against it. This human factor is one of the most often overlooked threats to computer security.

Defending Against Social Engineers

  • You should be suspicious of people who ask you for your account name and password, computer name, IP address, employee ID number, or other information that could be misused.

  • You should be especially suspicious if they attempt to charm you or intimidate you. Refer them to the IT department. If they claim to be from the IT department, hang up and call back to verify this information, or check it out with your supervisor. If they claim to be a manager or officer in your organization and you do not recognize their name, voice, or face, explain that you are concerned about protecting the security of the network and that you need to verify their identity before you can give them sensitive information.

  • If you receive an e-mail message claiming to be from your bank, ISP, or an organization with which you do business and requesting information about your account, do not respond through e-mail or a Web page. Instead, call the organization and ask if the e-mail request is legitimate (do not use any telephone number listed in the message; look up the number separately). Most organizations do not use e-mail for such correspondence. Do not click on links contained in e-mail messages to visit an organization’s Web site. Instead, manually type in the URL for the organization’s home page and navigate from there to your account logon site.

See other Security Tip of the Month columns.