Beware: Social Engineering

By: Absolute Team | 11/20/2008

Joan Goodchild has put together an article entitled "Social Engineering: Eight Common Tactics" for CSO Online. Knowing some of these tricks, and integrating tips such as these into regular employee training, can help ward off some of the threats to data security. Several of the tactics regard employees unwittingly giving information to criminals via the phone, while others are more traditional cybercrime issues.

"Social engineering is the art of manipulating people into performing actions or divulging confidential information... The term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim." - Wikipedia

8 Common Social Engineering Tactics to Avoid

  1. Ten degrees of separation - criminals may try to draw out information from the "front line" employees, each time gaining information to access employees further inside the organization. Another tactic is to be friendly, slowly drawing out more and more information.
  2. Learning your corporate language - if a criminal sounds familiar, your guard may be down to disclosing confidential information
  3. Borrowing your 'hold' music - to pretend to be from inside the company
  4. Phone-number spoofing - as above
  5. Using the news against you - as lures for spam, phishing and other scams. Particularly dangerous if targeted to company news.
  6. Abusing faith in social networking sites - suggest typing site names manually, not clicking links
  7. Typo Squatting - for web URLs
  8. Using FUD to affect the stock market - FUD = fear, uncertainty, doubt. Can be used in a number of ways to scam stock prices.

You can read the full details here. You can also read the latest McAfee Security Journal report about the increase in use of social engineering techniques in cybercrime.

Also of interest, ScanSafe has released the 3rd quarter results of their Global Threat Report. [PDF]

Financial Services