By Sarah Zito, Victim Advisor, ITRC
Oftentimes thieves find that hacking humans is easier than hacking computers. This is called social engineering. Social engineering has been used long before identity theft was a buzz word, and long before computers were invented.
Social engineering is the act of manipulating and deceiving a person in order to have them perform actions or divulge confidential information (essentially a fancier, more technical way of lying). This is often times easier than a computer break-in using technical hacking techniques.
You are a victim of social engineering every day. Social engineering is an important part of our society. It actually is an integral part of our basic social skills. We all use social engineering to get what we want. Whether it’s your child negotiating an extra scoop of ice cream or a co-worker urging you to cover her shift so she can care for her “ailing mother”, you are being “socially engineered” or manipulated. You are a social engineer as well. You probably have called upon your own skills to nab that new promotion or sway your family to go to your favorite restaurant.
Social engineering is often used by identity thieves and scammers to obtain useful information for fraud and account entry, rather than rely on weaknesses in physical security, or computer hardware and software. The aim is to trick people into revealing passwords or other information that compromises account security or personal information.
Reformed computer criminal, and later security consultant, Kevin Mitnik popularized the term “social engineering,” pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system. He claims it was the single most effective method in his arsenal.
A good social engineering scam always starts with pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim. This is the scam artist’s cover story; this story must convince the victim that it is safe and reasonable to give up information, allow access, or part with money.
Pretexting is often used to impersonate police, banks, tax authorities, insurance companies, investigators, or co-workers — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. Much of the time, the pre-texter just needs to sound authoritative and be able to think on their feet to get what they need.
Social engineering is not limited to phone calls; many cases involve visitors impersonating a repair technician, a legitimate looking email requesting account verification, or convincing delivery drivers to drop packages around the corner instead of at delivery address.
Social engineering is here to stay and is expected to grow even more complex in its implementation. Now is the time to protect yourself, be aware, alert and always trust your instincts. It is always best to question the authenticity of phone callers, emails, letters and individuals.