Search
  • OSG

Social Engineering


Social engineering isn’t new. But it’s easier than ever for a hacker. Even a lazy one.

Social engineering is an art of manipulation. The basic idea is to trick someone into revealing personal information such as passwords, banking information or even your schedule for the next week. Really, any information that the attacker could find useful.. knowledge is power.

We've most likely all experienced some form of social engineering at one point in our lives. For example, answering the phone to discover that the caller from 'Microsoft' tells you that your computer is not working properly, so they will guide you through a process to resolve the issue. The majority of us are wise enough to understand that this is a pretty lazy scam by people not smart and motivated enough to find real work, and we hang up the phone, or we have a bit of fun with them and waste their time until they get annoyed with us. In any case, most of the time, this sort of thing doesn't work. However, it unfortunately does work more than you think, which is why these calls keep coming through - it's a numbers game.

One of the main reasons it is successful is because the person calling preys on human nature. It is considered natural to panic when something is wrong, or to believe a person of authority.

A great example - Let's say someone with a camera crew and some form of official looking badge stops you in the street and asks a few questions on password security. You're happy to oblige, and 3 questions later, you've said your password out loud, on camera, to a complete stranger. Whoops. I suspect you're thinking that no-one would be stupid enough to fall for this. Let's see - click here to see how it went.

So, we’ve established that people do tend to fall victim to someone that places themselves in a position of authority. However, above all else, social engineering works as most people are predictable. Let's conduct an experiment to see how predictable we are. Think of the password you use on a daily basis to access any service (Email, Netflix, Google etc). Below are a few clues as to what your password might contain -


  1. A pet's name

  2. Child's name

  3. Partner's name

  4. Number at the end

  5. Capital at the start

  6. Special Character in place of a number (! For 1, £ for 3 etc)

  7. Number in place of a similar letter (3 for E, 0 for O etc)

  8. Same password for multiple sites

  9. Password System (Monkey1, Monkey2, Monkey3 etc)

So how many of these are you nodding your head at? 1? 2? 5? As I mentioned, people are predictable. Not only that, but we are far too trusting. Using the principles above, if someone is phishing for information in a conversation with you, how long would it be before you unintentionally spill the beans on your password? In general, we are more than happy to talk about our loved ones. And there can't possibly be anything to worry about by telling your new friend Steve about how your son Adam was playing with your new puppy Archie in the park on Sunday. Or how you always choose number 5 in the lottery because it was the house number you grew up in. On the face of it, none of that information we discuss seems too damaging, but in the hands of the right person, it certainly can be.

Let's leave you with one final thought, let it be this - every single piece of information is worth something to someone. Be aware of who you share it with.

Just for fun, check out this short clip of 'Now You See Me' to see how damaging collecting the right, seemingly innocent, information can be.