Common Social Engineering Methods

Posing as a fellow employee

 

Posing as an employee of a vendor, partner company, or law enforcement

 

Posing as someone in authority

 

Posing as a new employee requesting help

 

Posing as a vendor or systems manufacturer calling to offer a system patch or update

 

Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for help

 

Sending free software or patch for victim to install

 

Sending a virus or Trojan Horse as an email attachment

 

Using a false pop-up window asking user to log in again or sign on with password

 

Capturing victim keystrokes with expendable computer system or program

   

Leaving a floppy disk or CD around the workplace with malicious software on it

 

Using insider lingo and terminology to gain trust
 

Offering a prize for registering at a Web site with username and password
                    

Dropping a document or file at company mail room for intraoffice delivery

 

Modifying fax machine heading to appear to come from an internal location

 

Asking receptionist to receive then forward a fax

 

Asking for a file to be transferred to an apparently internal location

 

Getting a voice mailbox set up so call backs perceive attacker as internal

 

Pretending to be from remote office and asking for email access locally

 

Warning Signs of an Attack

Refusal to give call back number

 

Out-of-ordinary request

 

Claim of authority

 

Stresses urgency

 

Threatens negative consequences of non compliance

 

Shows discomfort when questioned

 

Name dropping

 

Compliments or flattery

 

Flirting

 

Common Targets of Attacks

TARGET TYPE / EXAMPLES

 

Unaware of value of information

Receptionists, telephone operators, administrative assistants, security guards.

 

Special privileges

Help desk or technical support, system administrators, computer operators, telephone system administrators.

 

Manufacturer / vendor

Computer hardware, software manufacturers, voice mail systems vendors.

 

Specific departments

Accounting, human resources.

 

Factors That Make Companies More Vulnerable

To Attacks

Large number of employees

 

Multiple facilities

 

Information on employee whereabouts left in voice mail messages

 

Phone extension information made available

 

Lack of security training

 

Lack of data classification system

 

No incident reporting/response plan in place

 

VERIFICATION AN D DATA CLASSIFICATION

These tables and charts will help you to respond to requests for information or action that may be social engineering attacks.

 

Verification of Identity Procedure

ACTION / DESCRIPTION
Caller ID

Verify call is internal, and name or extension number matches the identity of the caller.

 

Callback

Look up requester in company directory and call back the listed extension.

 

Vouching

Ask a trusted employee to vouch for requester's identity.

Shared common secret

Request enterprise-wide shared secret, such as a password or daily code.

Supervisor or manager

Contact employee's immediate supervisor and request verification of identity and employment status.

 

Secure email

Request a digitally signed message.

 

Personal voice recognition

For a caller known to employee, validate by caller's voice.

 

Dynamic passwords

Verify against a dynamic password solution such as Secure ID or other strong authentication device.

 

In person

Require requester to appear in person with an employee badge or other identification.

 

Verification of Employment Status Procedure

ACTION / DESCRIPTION

Employee directory check

Verify that requester is listed in online directory.

Requester's manager verification

Call requester's manager using phone number listed in company directory.