What is Social Engineering?

Posted by Jeremy O'Brien on May 05,  2017


Reprinted with permission from the University of Tennessee at Knoxville, Office of Information Technology (OIT) 

What is Social Engineering? 

Social engineering is the art of manipulating people, so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords, bank information, your credit card information, or access your computer to secretly install malicious software–that will give them access to your information as well as give them control over your computer. 

Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak). 

Security is all about context; knowing WHO and WHAT to trust. Knowing when, and when not to take a person at their word; when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is or isn’t legitimate; when to trust that the person on the phone is or isn’t legitimate; when providing your information is or isn’t a good idea. 

Ask any security professional and they will tell you that the weakest link in the security chain is YOU; the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents. 

For example, if you have a question about a charge on your credit card bill, call your bank or financial institution. Recently, there was a case where a person questioned an excessive charge on their credit card statement. They “Google’d” the customer service for the company placing the charge and, innocently enough, went to a site that “looked about right” and had all the right words; except the URL did not belong to the company who had placed the charge. They called the number on the site and ended up giving their credit card to the person on the phone and granting access to their work computer. It was a bogus site which mimics the customer service for all of the major social media outlets. For over 20-minutes, the criminals had access to the workstation PLUS the credit card number. Moreover, the criminals had full access to the person's email and drives. They were free to download as much from the workstation as they wanted. 

NEVER grant others access to your computer (work or home) unless you have checked it out thoroughly. Ask your departmental IT staff before granting anyone access to your computer. You can also call OIT and seek guidance. 

Regardless of our occupations or the level of education we’ve achieved, we’re all subject to social engineering; it’s how we’re built. Unfortunately, it’s exactly what the criminals are counting on, and they’re very good at extracting information from you. YOU are the last line of defense. All of the technical controls are moot if you give up control of your device or use passwords that are weak and subject to cracking.