But it’s not always the good qualities of human behavior that are the focus of manipulation experiments. Pride in your own work or the success of the company can also lead everyone from employees to CEOs to brag and reveal sensitive information – for example in a staged interview, to customers, or when meeting new job applicants. It’s also often the case that a tendency to avoid conflict can lead people to go against critical safety regulations. But the strongest motive for all irrational actions is fear. An example of how fear could be used in this case could be through a fake supplier threatening to cut off the internet for the afternoon unless he’s provided with information about the router and its configuration. If a caller uses lots of relevant, specific terminology and a sense of urgency and threat, it can put a lot of pressure on employees, particularly ones with a low technical understanding. Social hackers also take advantage of employees’ fears of their superiors: a popular technique is to send fictitious payment instructions by e-mail, pretending to be a boss.
When trying to make their victims feel comfortable, hackers usually pose as colleagues, bosses, or applicants. But if they’re trying to take an external approach, fraudsters will sometimes pose as associate service providers, carrying out customer satisfaction surveys or research for an institute, interested potential partners, or even disgruntled or confused customers.
Social engineers don’t always restrict themselves to one-time interactions either. And some take the approach of chatting away with small talk to make the employee feel at ease, or ask certain routine queries first to make the approach more believable. These techniques usually work by creating a level of trust and understanding between employee and hacker, with the hacker offering up plausible questions and fitting information about himself/herself to the point where the victim is subconsciously convinced the hacker can be trusted. Remember: These attacks are usually meticulously planned and researched. Some popular sources of information for this background research include the company website and social networks like Facebook or LinkedIn. And in extreme cases, hackers have been known to go one step further and carry out ‘dumpster diving’, meaning they rummage through a company’s trash looking for any business documents that have been thrown out.
Despite techniques like dumpster diving for research purposes, most social engineering attacks are carried out by e-mail or over the phone, because these methods require less technical effort and more anonymity. But this doesn’t mean that these are the only dangers for your company. Revealing business secrets, passwords, or other access tips in public places like bars, cafes, or restaurants can put your company at risk, even if it’s during a relaxed atmosphere with other colleagues about seemingly innocuous things like figures, work processes, or customer contacts. Employees regularly receive business calls on their private mobiles and often feel open and comfortable discussing business-related matters in public with no regard for who might be listening.