Social engineering is a hacker’s clever manipulation of the natural human tendency to trust, with the goal of obtaining information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. Pretexting is the act of using an invented scenario to persuade a targeted victim to release information or perform some action, usually over the telephone. The ultimate goal is to get enough information from enough people to either sell this information or use it to commit fraud.
Social engineering is generally successful because people are naturally helpful. Most people – especially in departments like Customer Service, Help Desk or in positions of service like business assistants and secretaries – are already trying to help. These jobs require helping people all day long and it is not natural to question the validity of every call.
Pretexting is more than just creating a lie. In some cases, it can be creating a whole new identity used to impersonate people in certain jobs and roles in order to create a scenario where a target is comfortable with releasing information they normally would not.
Pretexting works best when the pretexter gives a convincing performance, complete with the proper technical jargon or other insider information. A social engineer will have to develop many different pretexts over their career, and all of them will have one thing in common: research. If the social engineer’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. The right pretext provides the proper cues and can disarm a target’s suspicions or doubts and open up the doors, so to speak.
Most of the information sought by social engineers seems innocuous, but seemingly innocuous information can be (and is) used against you: like who handles your dumpster removal, your cafeteria food, paper shredding, and antivirus, as well as what PDF software and browsers you use, and more. Details like these can give a good social engineer all the information he/she needs to compromise your company. No matter how innocuous it may seem, never give out information on the phone, via email, snail mail or the Internet unless you’ve initiated the contact or unless you’re sure it’s safe and you can positively identify the person you’re talking to.
Social engineers use pretexting to get info from call centers at banks, phone companies, and other financial institutions to gain access to personal sensitive info.
No matter how much technology changes or the amount of money your company dumps into security measures, devices, and even protocols, it will still be most vulnerable to old fashioned persuasion. The best defense a person can take against these types of attacks is to be aware of their surroundings. Visit MySecurityAwareness for more tips.