Skip to main content
Santa Clara University
Information Services
Information Security

Blog Posts

  1. Home
  2. Information Services
  3. Information Security Office
  4. Blog: Tips and Advice
  5. Blog Posts
  6. Social Engineering

Social Engineering

Don't be the one to hand over information to an attacker!

Nora McGinley
Social engineering is one of the most effective and least recognized hacking methods, and attackers often don't even need to write a line of code. Find out what it looks like and how to avoid it.

After high-profile hacking attacks on companies and celebrities like Snapchat, LinkedIn, JPMorgan, Jennifer Lawrence, and Kate Upton, people are becoming more aware of information security threats. Many people now understand the risks posed to large organizations that are charged with protecting customers’ sensitive information, but dismiss social engineering attacks targeted at individuals.

Skilled hackers can take control of accounts, financial information, and media presence without writing a single line of code, and you or the people who are meant to protect your information can be the ones to give them access. Social engineering attacks use psychological manipulation and appeals to vanity, authority, greed, or sympathy to gain sensitive information.

Fusion’s Kevin Roose learned this firsthand when he challenged social engineering hackers at DEF CON, one of the world’s largest annual hacker conventions, to try to gain access to his accounts and information. Jessica Clark, one such social engineer hacker, called Roose’s telephone company from a spoofed number with audio of a baby crying playing in the background on YouTube. Using the name of Roose’s current girlfriend and appealing to the other person’s sympathy, she was able to learn Roose’s private email address. She then asked how she might go about adding their “oldest daughter” to the account, and “learned” that she herself was not on the account, either. By the end of the phone call, she had been added to Roose’s account and changed his password.

This attack is an example of “vishing”-- a “voice phishing” attack that uses a phone call to gain access or information that can be used in a subsequent attack. Vishing attacks can be aimed at individuals or the companies that provide them services. To keep yourself safe, be very cautious about the information you share on the phone. For example, if someone from your bank calls you asking for account information, it’s a good idea to physically go to the bank to resolve the issue or hang up and call them yourself with a number retrieved from a reliable source. Also be sure to avoid fraudsters pretending to be IT service people, especially if you never requested help. Here are some other forms of social engineering and how to avoid them:

  • Phishing: Phishing is a very common form of attack. Think of emails you’ve received from friends or relatives that say they’ve been mugged and are stranded in a foreign country and need you to send money immediately. Phishing can get a lot more advanced than that, though. In spear-phishing attacks, a hacker will spend a long time gathering information about their target and observing them in any way they can; these details they learn will be used to build trust. Then the attacker will pose as someone the target already knows and build rapport, eventually drawing out the information they seek. Pay attention if you are contacted by someone you know, but their tone is unusual or they ask you for sensitive information, and call them or talk to them in person instead.
  • Smishing: Smishing is the name given to phishing attacks that happen over text. Look out for a “5000 number” or one that comes from a source you don’t recognize and asks you to visit a website or click a link. Ignore and delete these texts.
  • Pretexting: An attacker can use their charm and an invented scenario to extract bits of information or gain access to sensitive areas. This kind of attack can happen in person or online. For example, a person might pretend to be an auditor to convince a security guard to let them into a facility. Last year, a group of men posed as a modeling agency to manipulate women and girls into sending them photos. To avoid these attacks, follow your organizations’ policies (e.g. don’t let people into buildings for which they do not have permission) and verify contests, jobs, and surveys with a reliable third party before giving away any information. 
  • Tailgating: Not only do attackers try to follow employees into protected areas by asking them to hold the door, but they also might try to borrow your phone or laptop to install some malicious software or use a public computer after you to see if you left anything behind open. Be cautious with your devices, set strong passwords, and always logout and close your browser after accessing your accounts.
  • Baiting: These attacks take advantage of a victim’s curiosity. An attacker might leave an infected USB drive on the ground that will install malicious code or lure targets with promises of movie or music downloads for account information. If it sounds too good to be true, it probably is!

To watch the rest of Roose's story and see what the attackers were able to dig up, check out the video below.

*Please note that this video contains explicit language

Real Future: What Happens When You Dare Expert Hacker to Hack You

May 23, 2016