Social engineering is a fancy way of saying “faking people out”.
In the classic sense, social engineering revolves around calling a business, pretending you are an employee and asking for “your” password to be reset.
In this scenario, the help desk gets tricked into giving this non-employee access an email account or even to the network.
It might work like this, “Bob” the non-employee trying to gain access calls the company help desk:
Help desk: (answering phone) Hello, help desk
Bob: Hi, this is Bob, Mr. Smith’s (the CEO) new assistant. He dropped this big pile of paper on my desk to complete for him this morning, but I don’t yet have access to the network.
Help desk: I don’t show you as an employee Bob.
Bob: (sounding panicked) They said the paperwork was turned in already. Can you help me out, Mr. Smith expects this to be done this morning, and I’m new and..
Help desk: Ok, don’t worry, I’ll set you up…
This may sound overly simple, and it is to a company that does not have the proper processes in place.
Nowadays, with email and Facebook and Twitter it is even easier to trick people.
Social engineering when done via email is referred to as “Phishing”.
Look at the below example and see how simple it is on Facebook to fake some into typing their password for all to see.
Note: I have blotched out the cuss words.
“But I would never fall for that…” Ah yes, and you also laugh at that email about the Nigerian millionaire wanting to give out money…yet people respond to that every day.
The point here is you must have policies & training in place to ensure your staff does not accidentally expose your practice to external access.
Restricting social media sites is a start.