What Is Social Engineering? And How To Protect Yourself

What is social engineering? It’s nothing new—it’s probably been going on for thousands of years, but telephones and, later, the Internet have made it easier than ever before.

It’s really just a specific form of the ancient “con job.” Someone calls you on the telephone or contacts you via the Internet. Then they convince you to do something innocent—usually giving away a little information. They use that information to get a little more information from someone else. After a few more steps, they have enough information to steal a lot of money from you or your company.

An Example Of A Real Life Attack

To explain what is social engineering, here's a true story. A hacker named reported calling a receptionist in a large corporation. He claimed to be somewhat confused, and asked the receptionist—a woman who was hired for the job because she had a helpful personality—who it was he had talked to the other day. The hacker said the person had claimed to be the vice president of Human Resources.

The receptionist wanted to be helpful, so she looked up the V.P. of Human Resources in the employee directory and gave his name and office phone number to the hacker.

Next, the hacker used his phone hacking equipment to make his caller identification information look like he was the V.P. of Human Resources and he called the lowest secretary in the Human Resources department.

He told that secretary—who had also been hired for being a helpful person—that he was the vice president and he was working off-site in another city this week at a conference. He needed a copy of the confidential employee directory so that he could contact people still in the office. The secretary, who confirmed that his caller ID said the call was coming from the V.P., agreed to email the employee directory. The hacker then sold the directory for several thousand dollars to a head-hunting firm.

What Is Social Engineering At Home?

So what is social engineering in your home situation? Hackers use the same tricky maneuvers to attack you at home. They pretend to be your Internet Service Provider (ISP) and tell you that your email inbox is full. In order to keep receiving your email, you need to give them your password so they can upgrade your account.

But when you give them your password, they use it to log into you email account. Then they find out which bank you use and tell the bank you lost your password. When your bank sends a new password to your email account, they get the new password and use it to log into your account. Then they steal all of your money.

Even the best security software cannot prevent this type of social engineering.

Social Engineering: How To Protect Yourself

Now you know what is social engineering it is important to protect yourself. The probably best way to protect yourself from a social engineering attack is to declare all somehow sensitive, personal or financial related information as top secret. Be aware at all times that even the smallest piece of innocent looking information can be possibly used by an attacker to steal your identity and get services and goods for free on your cost.

To improve security further I strongly recommend that you...

  • Don´t provide any sensitive information to unknown individuals during incoming phone calls. Always ask for the person’s name and a fixed line callback number and use the yellow pages or your favorite internet search engine for a phone number research before you call them back and provide any information. Be alarmed if the caller tries to browbeat you.
  • Establish your personal data security policy. If you are member of social networks make sure that personal data like...-- private addresses
    -- birth dates
    -- name of family members
    -- private phone numbers
    -- email addresses...are only accessible to selected individuals you know personally and trust.
  • Make targeted use of misinformation. Don´t provide correct personal information in situations where they are not mandatory required to process a particular action (e.g. why should I provide my date of birth if registering for a newsletter). Even if the requester uses this information for statistic purposes you should be aware that those stored data can be stolen at any times by an attacker for further usage.
  • Use not only different passwords for your online accounts but also different usernames. Social engineering attackers often assume that their victim uses the same user account name for different websites. Using different account names will help you to prevent that kind of social engineering attacks.
  • Dispose sensitive data the right way. Previously deleted data can be easily recovered if you have used only the trash bin function of your operating system. For that reason social engineering attackers often buy used hard disks or memory sticks via eBay to extract sensitive information from those items. If you´re planning to sell your old hard disk or memory stick use hard drive shredder software to remove all data from the related storage media.

Social engineering attacks are not always related to internet safety. They can happen in all sorts of situations. It’s not until their bank accounts are empty that most people ask the question, “what is social engineering?”

[Homepage] [Internet safety]

[What is social engineering]

Return to top

Protect Yourself

Subscribe to my newsletter and get all the latest PC Security News. Free!



Don't worry -- your e-mail address is totally secure.
I promise to use it only to send you PC Security News.