Social engineering is a technique that aims to access confidential information or certain assets by manipulating people who have direct or indirect access to it. One example of social engineering is phishing.
Social engineering doesn’t just apply to the IT domain, it can also occur in daily life and, in particular, at the workplace. As soon assets of a certain interest are at stake, attacks like this type may appear.
The human factor is the focal point of social engineering attack techniques. In essence, it is the intelligent manipulation of our natural propensity to trust. Relationships based on unearned trust are developed in a calculated way, most often through simple conversation, and are then exploited to gain as much profit from the situation as possible.
Social engineering can take place over the phone, by email , through social networking or, of course, in the physical presence of the attacker.
Social engineering techniques exploit certain human vulnerabilities and vulnerabilities in the targeted entity’s organisation. In fact, it’s human nature to want to help others and trust people who are polite and friendly, even if they’re total strangers. It all depends on the situation and the way in which the wrongdoer(s) present(s) themselves to us. Very often, a simple request asked in a direct manner by the attacker may be all it takes to get the victim to respond sincerely.
The aim of the attack is to make a person do something that they wouldn’t normally do; the attacker’s motivation being to obtain information that they cannot normally access. In an increasingly digitalised world, this very often (but not always) comes down to obtaining authentication information.
An attacker may, for example, initially try to establish a relationship of trust with a member of staff with whom they will spend a certain amount of time trying to uncover information about the targeted company. It is therefore not uncommon to meet attackers with an in-depth knowledge of the jargon employed by the company’s business line and the procedures it has put in place. This makes it easier to make internal contacts and to place requests which may otherwise appear suspicious.
From the employee’s point of view, they are presented with a person who seems to be aware of internal procedures and who uses the same jargon. In a large company where it is difficult to know everybody, the employee has no reason to be suspicious and often ends up cooperating. Thinking they are doing their job correctly, they have no reason to refuse to help a person who they believe to be a colleague.
Very often, the victim only realises they have been tricked after the fact, once the attacker has already left the premises without leaving a trace, but in possession of precious information.
Other strategies are also possible, notably with regard to picking up clues that lead to information. The attacker may present themself as an investigator looking into the business of the targeted person or entity. In particular, they may ask a serious of innocuous questions, amongst which is hiding one to which the answer is of particular interest to the attacker.
The attacker may also adopt a completely different strategy, for example, by putting their victim at an impasse and presenting themselves as the only person who can solve their problem. In the majority of cases, the victim will cooperate and will respond without batting an eyelid at the attacker’s specific questions.