Combat Social Engineering: Don’t Be the Weakest Link

Smart criminals go after the 'lowest hanging fruit.'

September 16, 2010
/ PRINT / ShareShare / Text Size +

A ‘trusted vendor’ scenario

Using only basic information-gathering techniques, it’s not difficult to devise a plausible “trusted vendor” scenario that seems completely believable to an unsuspecting target.

For example, if a criminal’s intent was to covertly gain access to sensitive areas inside a financial institution, he might choose to pose as a pest inspector.

First, the social engineer would need to find out which pest control company the institution currently uses. Setting up surveillance outside a location waiting for the pest control technician to show up would take way too long. However, contacting the institution under the guise of a new pest control company looking to submit a competing bid might reveal the name of the current service provider.

If so, the next step would be to get the actual pest control company’s logo off the Internet to create a believable uniform using a “do-it-yourself” iron-on kit.

The social engineer could then use various social networks to find the names of some of the organization’s managers and, if lucky, the days those managers will be out on vacation. The criminal could then call the branch receptionist late in the day under the guise that the manager requested he come treat the office immediately.

The criminal could probably weave a convincing tale creating a sense of urgency, plus generate a reason for keeping staff members away while he’s “working.” One believable reason: Claim that management reported a rat infestation but wants to keep it secret to avoid alarming the rest of the staff.

Upon hearing that type of disturbing news, any possible suspicions about the pest control technician are probably replaced with anxiety over the nearby rat infestation. The criminal could further increase his chances of avoiding exposure by scheduling an after-hours appointment when he’d be free of prying eyes and have more time to snoop for sensitive information.

This scenario also offers a perfect opportunity to perform another favorite social engineering technique, dumpster diving, without raising suspicions. After all, who’s going to suspect a uniformed pest control technician is doing anything other than killing rats inside a dumpster?

You may think this is only a worst-case scenario, but companies that specialize in social engineering testing can attest that this type of situation happens with alarming frequency.

This example illustrates that, lacking adequate safeguards to combat social engineering threats, several weak links can exist along the security chain. It also demonstrates that strong policies and procedures, along with adequate training, can thwart the social engineer’s efforts.

Next: Reinforce the chain

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory ( will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive