BLOG HOME > Cybersecurity > What Is Social Engineering? Social Engineering Examples

What Is Social Engineering? Social Engineering Examples

Brand Barney, SecurityMetrics
By: Brand Barney

After all, gullible employees lead to security breaches.

Humans want to trust other humans. If I struck up a conversation with a gentleman in a suit at the bus stop who explained his life story, why would I distrust him?

What is social engineering?

Social engineering is a way of manipulating people socially so that they trust the social engineer and eventually provide some sort of useable data. For instance, instead of trying to find software vulnerabilities to exploit for sensitive data, a social engineer might try to trick someone into divulging an administrative password without realizing it.

Have you ever seen the crime drama Catch Me If You Can? Frank Abagnale, the main character, is a master of social engineering. He convinces people he’s an airline pilot, doctor, and attorney by forging documents and acting like he belongs. The scary thing is, it’s a true story.

White Paper: 5 Tips to Train Your Workforce on Social Engineering

Download Here

What’s the problem with social engineering?

Here are some common ways social engineers try to socially engineer us

  • Steal badges and credentials in unlocked cars
  • Go to the local donation store and buy old company T-shirts
  • Pose as janitorial staff to get into a building
  • “Can you hold the door for me? I don’t have my badge.”
  • Pose as an IT person that needs to fix the network
  • Try unlocked doors around the backside of buildings
  • Pose as law enforcement conducting an inspection
  • Dumpster dive for sensitive documents

Here’s what happens when I try to socially engineer someone.

How to avoid being a victim

The best way to avoid being socially engineered is by educating yourself and your employees. Here are some points you should touch on during training:

  • You should be slightly paranoid (better to be safe than sorry)
  • Social engineers don’t sneak around. They’re confident and friendly. They look like they belong. Don’t be pressured by their convincing ways.
  • Never give out your username/password, badge, PIN, ID number, credit card, or schedule. In essence, never give out sensitive information about you or your company.
  • Ask for a contact to verify why the person needs the information they’re asking for
  • Don’t hold secure doors open for people you don’t know

The only way to identify if your employees have soaked in all that knowledge is to test them. You can don a disguise and test them yourself, or enlist the help of a professional (also called a pen tester), to come onsite and test your employees, experiment with your physical security, and see what interesting information they can find in your trash cans.

Have a business security question? Tweet me.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts

Download the latest guide to PCI compliance

Download Now