No matter how secure a system is, there’s always a way to break in. While software companies are learning how to strengthen their programs, hackers and malicious social engineers are turning to the weakest part of the infrastructure – the people.

Impersonation is when a person plays the role of someone you are likely to trust or obey convincingly enough to fool you into allowing access to your office, to information, or to your information systems. This type of social engineering plays on our natural tendencies to believe that people are who they say they are, and to follow instructions when asked by an authority figure. It involves the conscious manipulation of a victim to obtain information without the individual realizing that a security breach is occurring.

Most common impersonation roles fall under the category of someone with authority, which leads us to ingratiation. Most people want to help, so they will go to great lengths to provide the required information (or access) to anyone with authority.

These tricks work because we all regularly interact with people we don’t know. Still, it’s human nature to trust these credentials like badges and IDs that we most likely do not know how to truly verify.

Before releasing any information to anyone you should:

  • consider the sensitivity of the information being requested
  • your authority to exchange or release the information
  • the real identity of the third party (positive identification)
  • the purpose of the exchange of information.

Always verify the identity of anyone who shouldn’t be allowed inside your organization, in case any impersonators may be posing as someone who may frequent your institution.

One of the best technological tools at the disposal of a social engineer, especially those posing as a technical support person, is a USB thumb drive. They can also be planted in different locations around the workplace in the hopes that employees will find them, use them, and unwittingly install a Trojan on the system, which can be used to gain passwords and login information or to provide the attacker unfettered access to the network from a remote location.

By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself, your company, and your customer’s information.

  • When in doubt about the validity of an individual or a request, contact your manager or the manager of the requester, for authority to comply with the request.
  • Ensure the physical security of your premises and don’t enable tailgating.
  • If you are unsure about a person’s authorization or access permission, report the situation to the appropriate staff.
  • Make sure you know who is in range of hearing your conversation or seeing your work.
  • Use a computer privacy screen to deter shoulder surfing, especially in public places and adopt a healthy dose of skepticism for anything out of the ordinary, especially strangers who endear themselves to you.
  • Finally, make sure to adhere to the policies and procedures within your organization that stipulate how you should manage situations that may be social engineering attacks.

It is up to the watchful eye of every company employee to prevent social engineering attacks. You are the first line of defense against crime. Learn more at