The term "social engineering" refers to the art of manipulating people so as to circumvent security systems. This technique involves obtaining information from users by telephone, email, traditional mail or direct contact.
Social engineering attackers use persuasive force and take advantage of user naivety by impersonating a co-worker, a technician, an administrator, etc.
In general, social engineering methods are organized as follows:
- An approach phase to gain the user's trust, by impersonating someone from his management, company or circle or a customer, supplier, etc.
- An alert phase, to destabilize the user and observe how quickly he responds. For example, this could be a security pretext or an emergency situation;
- A diversion, that is, a phrase or a situation that reassures the user and keeps him from focusing on the alert. This could be a thank you stating that everything has returned to order, an commonplace phrase or, in the case of email or a website, redirection to the company's website.
Social engineering can take on a variety of forms:
- Written mail,
- Instant messaging,
How can you protect yourself?
The best way to protect yourself against social engineering techniques is to use common sense and to not release information that could compromise the company's security to just anyone. Regardless of the type of information requested, you are advised to:
- find out about the other person's identity by asking him for precise information (last name, first name, company, telephone number);
- possibly verify the information provided;
- ask yourself how critical the requested information is.
In this context, it may be necessary to train users and raise their awareness about security problems.