What is Social Engineering? Part III

What is Social Engineering? In this blog, I would like to shed some light on some other types of social engineering and provide some context on how to protect your business and self. In my first two blogs, I jumped into the Phishing and Spear Phishing pieces of a social engineering attack. There are numerous other social engineering attacks with some rather creative names.

Dumpster Diving

One of my personal favorites can be a rather dirty venture. Dumpster diving is the act of getting into the trash bins outside of a company or office building to find sensitive documents. As a side thought, imagine if the trash from food or bottles/cans happened to be thrown in there, now we are getting into the glamourous side of dumpster diving. I digress, this attack has been highlighted in movies with hackers dressed in black, jumping into a dumpster in the middle of the night and rifling through papers only to find the one document with an account number to use to hack the corporation. The 1992 hacker movie Sneakers had a pretty good dumpster diving scene in it. The hacker group took some nerdy worker’s trash to get some information to create a way into the corporation. Any way you look at it, documents not meant for the trash may end up in there and can open a can of worms for your company. Shredders and shredder bin services can keep your sensitive documents out of the wrong hands.

Shoulder Surfing

Shoulder surfing is another tactic that is quite easy to pull off. It’s the act of looking over a person at the screen or keyboard to obtain some information. Now I am guilty of this act strictly by accident. I can recall tons of times helping someone with some system or password and watching keystrokes as they showed me what they may be doing and figuring out their password as I innocently watched. Now, take this thinking out of the office and into a crowded coffee shop. Someone behind you could sit there and steal your credentials as they watch you type away, accessing different systems that may be quite sensitive to you and/or your organization. However, don’t feel too paranoid as there are ways to defeat this method. Screen privacy filters help and sitting with your back to the wall can keep the shoulder surfers at bay.

Piggybacking

There are numerous other social engineering attacks to cover but I wanted to shed some light on just one more, piggybacking. This isn’t exactly like the one we do for our kids, but it does have some relatable parts. Let’s setup the scenario:  The hacker needs to get into a building that requires some badge or key to get in but doesn’t have one. An unsuspecting worker is coming back into the building so the hacker grabs some boxes, has an armful and cannot get keys out to open the door. Now any courteous person who saw this would almost instinctively hold the door open for that person and be on their way. If this were the case, the hacker just successfully performed the piggyback and now has physical access inside the target company.  There are countless other ways this can be done. The point is train your personnel to realize it is not allowed and have them offer help holding the boxes while the “hacker” gets their key.

As I stated in my two prior blogs on social engineering, it all comes down to training and education. Properly training your employees and users about these different tactics will help to reduce the risk of these attacks occurring. Make them aware, empower them to question suspicious behaviors, and send a clear message that it can happen to anyone.

Have you or the employees of your organization been “socially engineered”? If so, share your experience in the comment section below. If you have any questions or need any assistance, feel free to contact us for help. In the meantime, you can download a copy of our Security Assessment Services brochure to learn more about how Compass IT Compliance can assist your organization in mitigating your risk of an attack.