These are just a few of many techniques used by social engineers. Some of these involve technology (e.g., spear phishing) while others use tried and true methods of human manipulation (such as NLP). Social engineers use these tactics for a multitude of reasons, ranging from obtaining bank account numbers to acquiring trade secrets to sell to competitors.
If you are concerned about social engineers targeting people in your organization, you can take some steps to help thwart these attacks:
- First, employees should be regularly trained in how to look out for suspicious people, e-mails, and phone calls.
- Second, train employees in what I like to call G.O.C.S. securityGood Old Common Sense security. In other words, some people just need to be taught some street smarts. I have seen companies do this by spelling out in their corporate security policy the dangers of using social networking sites and of drinking and discussing work topics with strangers (of course, this is only effective if employees actually read the policies which, as we all, is wishful thinking).
- Finally, employ the principle of need-to-know. The need-to-know principle states that employees should only be given enough information to do their job. They should not be given information about other departments or about decisions made at higher levels that do not relate to their work. This way, should a social engineer try to get information out of them, they would have limited information that they could reveal.
Social engineering will always be around. As long as you are willing to have a healthy level of paranoia and good common sense, you do not need to fear them.