Top 10 Social Engineering Tactics
Learn more about Social Engineering.
The easiest way to describe social engineering is to compare it to a con artist, or even P.T. Barnum himself.
To be true, the quote, "There's a sucker born every minute," might as well be gospel to a typical social engineer.
More to the point, social engineering is a process wherein someone uses influence, deception, and persuasion to get information that would otherwise be unavailable to them (which is also known as fraud).
At any rate, here are the top ten social engineering tactics people use to.
Gain access to most anything man made in the world
1. Alcohol: It's a scarily effective way to get the information you want out of a so-called security expert or corporate executive.
It's not just the hard drinks that does people in, though; it's a combination of their lowered guards, their inebriation, and the ambiance of the bar that compels them to spill the beans and disclose information they normally wouldn't share.
2. Sex: You really don't need fancy cracking programs, hacking devices, and whatnot to steal the information you need.
Before the concept of firewalls was even formulated, sex (or at the very least, sex appeal) has been used to manipulate targets into divulging their personal secrets with you (pillow talk, if you will), which may include work-related data.
3. Neuro-Linguistic Programming: A social engineer should be an expert at manipulating the human mind.
Ergo, understanding NLP (neuro-linguistic programming) is a must.
When done right, NLP allows a social engineer to subtly use a careful choice of words and his body language in order to earn the confidence of an intended mark.
Understanding behavior profiling and personality styles will make this technique even more effective as well.
4. Social Networks: If manipulating people through human psychology techniques just isn't your thing, then perhaps a little bit of social network research is in order.
Sites like MySpace and Facebook are a social engineer's paradise because it's a virtual treasure trove of personal and corporate information.
If you want, you can even connect to the people behind these accounts to partly earn their trust.
Swindlers nowadays are spoiled by innovations such as the Internet.
5. Vishing: There's phishing, and then there's vishing.
In simplified terms, vishing is the phone equivalent of a phishing attack.
A visher basically uses the anonymity afforded by a phone call to pretend to be a representative of a target's financial institution. By manipulating a victim to enter his PIN, credit card number, and so on using the phone keypad, a visher can get instant access to another person's bank credentials.
6. Whaling: This phishing variation involves stalking high-profile targets using both traditional phishing techniques as well as some Internet-based investigative methods (because anyone who's important enough to be, say, a junior executive of a company should have a significant online presence one way or the other).
7. Phishing: Yes, the traditional phishing scam is also a social engineering tactic as well.
After all, convincing users that you're a legitimate representative of their bank so that they'll click your link to your spoofed site requires a lot of convincing power as well as technical know-how.
8. Techie Talk: So you're not a psychology graduate and you lack the charm of a traditional con artist; does that mean you don't have what it takes to be a social engineer? That's not necessarily the case for those who have a tech support background.
Techie talk enables you to use your victim's lack of technology knowledge against him so that you can literally trick him into doing anything with his computer by "walking" him through the entire "process".
9. Piggybacking: This is a simple process of appearing behind a legitimate employee in order to walk into a secure building.
For example, you can pretend to hold an important package so that you can ask an actual employee with access to the office to "help" you get the door.
10. Reverse Social Engineering: This method involves three steps: sabotage, advertising, and assisting.
The first step involves the sabotage of a targeted network by any means necessary.
The second step involves advertising your services to the network owners you sabotaged in the first place.
The last step involves actual assistance, which will allow you access to your victims' databases and corporate information.
This modern-day equivalent of the age-old scam is particularly troubling to even the most secure data centers in the world because the so-called "human factor" remains the weakest and most vulnerable point of any given security system—and it has always been this way since time immemorial.
Once you've tricked a person to hand you permission to access a network, all security measures are rendered null and void.
Never give your password, bank credentials over the phone.
Never give your password, bank credentials over email.