Beware of Criminals Posing As 'Fellow Employees'

Impersonation is a favorite weapon in the social engineer’s arsenal.

May 09, 2012
/ PRINT / ShareShare / Text Size +

The most dangerous social engineers are those who can invent a lie so believable that they are able to successfully impersonate a legitimate employee without ever raising suspicion.

This tactic is particularly harmful if real employees can be tricked into believing the criminal is actually a coworker or a member of upper management.

From that point, it is not very difficult for a charismatic social engineer to manipulate the employee into divulging extremely sensitive information–or even worse, granting the impersonator unfettered access to the network.

As improbable as this technique seems, it is actually a favorite weapon in the social engineer’s arsenal. And it has a frighteningly high rate of success.

The primary reasons for the technique’s popularity are:

  1. The information necessary to construct a credible pre-text is readily available;
  2. There's almost no chance of being identified or caught; and
  3. It's much easier to compromise a human being than it is to bypass technological countermeasures.

Establishing pretext

This type of low-tech method of attack is predicated on the social engineer’s ability to establish credibility and trust with an employee of the targeted company.

To accomplish this, he or she must devise a believable story–or a “pretext”–based on as much factual information as possible. Given that most companies and their staff members post volumes of information about the organization online, forming a detailed pretext is often the easiest part of the process.

Subscribe to Credit Union MagazineThe “fellow employee” pretext usually centers on a new employee, an off-site worker, or even a manager from a nondescript department who needs technical assistance, such as resetting credentials, creating a new account or reconnecting to the network from a different location.

In these scenarios, the social engineer must conduct a bit of research about the company and its practices. Next, they collect enough verifiable information about the persona he or she will be assuming so that the elaborate lie can withstand at least a minimal amount of scrutiny.

The con artist may begin weaving the pretext by gathering basic information, such as locations, services and corporate structure. This can be done simply by reading the targeted company’s website or downloading archived newsletters, press releases, and annual reports.

A quick visit to the company’s LinkedIn page or Jigsaw listing will help determine the corporate hierarchy along with each person’s job title.

NEXT: Finding a target

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory ( will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive