Social Engineering : Giving the Old Flim-Flam Act

When it comes to cracking into computers and networks, one of the most indispensable tools is “social engineering” and it has little to do with modern computing technologies. In the popular lexicon that predates today's computing technologies, a social engineer might have been called a flimflam man, grifter, or con artist. They have been around for a long time.

The common denominator is that social engineering, grifting, and the con game all require that the perpetrators understand how people work and, more importantly, that they understand human vulnerabilities. One of the reasons hackers are so good at what they do technologically is that they understand how computers, software, and networks work, and, in turn, they can learn what their vulnerabilities are. The act of social engineering is probing an institution’s vulnerabilities on the human side.

No matter how social engineering is described, it is a practice of gathering reconnaissance on targets that will increase the chances of accessing desired information that can be used to bypass security measures, and compromise the targeted computers and networks.

Despite the perceived technological sophistication of those we call crackers (and, less accurately, hackers), even the most technologically sophisticated cyber criminals will try to gain unauthorized access in the easiest ways possible.

The successful social engineer relies on a toolbox full of tricks that can hack away at the psychological traits we all share. These traits include the following:

  • the desire to be helpful or friendly
  • the drive to appear competent in our position
  • the willingness to trust other people
  • the tendency to accept what others say as the truth
  • the drive to advance our own cause and career
  • the desire to be attractive to those we admire or desire
  • the wish to be perceived as a team player
  • the tendency to want to avoid bad consequences for ourselves or others

Obviously, many of these excellent traits are ingrained in the institution’s culture: that's part of what makes your employees and your institution so great. Your institution is known as the "Friendly Place to Bank."

But, bad people are bad people and they will want to exploit an employee’s goodness. Your employees should, before giving out any of your institution’s related information, especially if there is security relevance please, verify:

1. With whom they are talking and

2. That they are entitled to the information they are requesting.

Your employees should be absolutely sure of this. They should be encouraged to think carefully, and when in doubt, take a message and check with a supervisor.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network