Social engineering is less well known than hacking or viruses, but it can still cause the same harmful effects. Social engineering occurs when a malicious individual tries to trick you into providing access to sensitive information. Simply stated, social engineering is a form of deception employed for gathering information that leads to unauthorized computer access. Although some forms of social engineering employ face-to-face interaction like shoulder surfing, there are many instances where an attacker never comes in direct contact with the victim.
Common Types of Social Engineering
Pretexting is act of pretending to be someone who you are not by telling a lie or creating a deception, which is generally done over the phone. Pretexting generally requires the impostor to provide some general information about the person they are impersonating, in the hopes of gaining access to a system, resetting a password or obtaining other sensitive information.
In the university environment, pretexting is often used to trick an employee to reveal information about a student or other employee, in the hopes of gaining someone’s password or access to his or her accounts.
The best defense against pretexting is diligence and process. Employees should always make sure they verify the person they are speaking with before providing any sensitive information over the phone or in person.
Phishing is email based technique that imposters use to gain access to private information. A phishing attempt generally employs a request for an individual to confirm sensitive account information or click links that contain viruses or malware. Although personal phishing attempts related to banks, eBay or PayPal are more widespread, phishing can also happen on an institutional level. Over the last several years, many phishing attempts have been targeted to college and university students. In some cases, the phishing attempts have come from impostors acting as the university’s help desk; in other cases the imposter messages come from university affiliated banks or credit unions.
The best defense against phishing is to be suspicious of any email message that asks you to enter or verify personal information, whether that request is a link to a web site or by replying to the message itself. Never reply to, or click, the links in a message.
On a face-to-face level, social engineering can occur through individuals in close proximity to you. The malicious individual will use direct observation techniques, such as looking over your shoulder, to obtain your password or view other sensitive data that you might have on your desk.
The best way to prevent shoulder surfing is to keep sensitive data from view by using your body to block the view or cupping your hand when keying in information if other individuals are close by.