Social engineering (security)
In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in the sense that it is often one of the many steps in a more complex fraud scheme.[1] It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."[2]
For the influencing of attitudes and social behaviors on a large scale, see social engineering (political science).
Research done in 2020 has indicated that social engineering will be one of the most prominent challenges of the upcoming decade. Having proficiency in social engineering will be increasingly important for organizations and countries, due to the impact on geopolitics as well. Social engineering raises the question of whether our decisions will be accurately informed if our primary information is engineered and biased.[3]
Social engineering attacks have been increasing in intensity and number, cementing the need for novel detection techniques and cyber security educational programs.[4]
Techniques and terms[edit]
All social engineering techniques are based on attributes of human decision-making known as cognitive biases.[5][6]
One example of social engineering is an individual who walks into a building and posts an official-looking announcement to the company bulletin that says the number for the help desk has changed. So, when employees call for help the individual asks them for their passwords and IDs thereby gaining the ability to access the company's private information.
Another example of social engineering would be that the hacker contacts the target on a social networking site and starts a conversation with the target. Gradually the hacker gains the trust of the target and then uses that trust to get access to sensitive information like password or bank account details.[7]
In 2018, Equifax fell victim to a notable social engineering attack, resulting in a data breach that exposed personal information, including social security numbers, driver's license details, and mobile phone numbers. This breach affected 145.5 million Americans. As a credit reporting firm, the company became a target for hackers who cleverly posed as representatives from financial institutions like Bank of America to illicitly access individuals' personal data.
Examples of social engineers[edit]
Susan Headley[edit]
Susan Headley became involved in phreaking with Kevin Mitnick and Lewis de Payne in Los Angeles, but later framed them for erasing the system files at US Leasing after a falling out, leading to Mitnick's first conviction. She retired to professional poker.[15]
Mike Ridpath[edit]
Mike Ridpath is a security consultant, published author, speaker and previous member of w00w00. He is well known for developing techniques and tactics for social engineering through cold calling. He became well known for live demonstrations as well as playing recorded calls after talks where he explained his thought process on what he was doing to get passwords through the phone.[16][17][18][19][20] As a child, Ridpath was connected with Badir Brothers and was widely known within the phreaking and hacking community for his articles with popular underground ezines, such as, Phrack, B4B0 and 9x on modifying Oki 900s, blueboxing, satellite hacking and RCMAC.[21][22]
Badir Brothers[edit]
Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—managed to set up an extensive phone and computer fraud scheme in Israel in the 1990s using social engineering, voice impersonation, and Braille-display computers.[23][24]
Christopher J. Hadnagy[edit]
Christopher J. Hadnagy is an American social engineer and information technology security consultant. He is best known as an author of 4 books on social engineering and cyber security[25][26][27][28] and founder of Innocent Lives Foundation, an organization that helps tracking and identifying child trafficking by seeking the assistance of information security specialists, using data from open-source intelligence (OSINT) and collaborating with law enforcement.[29][30]