Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, but the simple idea itself (tricking someone into doing something or divulging sensitive information) has been around for ages. And experts say hackers today continue to steal password, install malware or grab profits by employing a mix of old and new tactics.
Here's a refresher course on some of the most prevalent social engineering tricks used by phone, email and Web.
1. Ten degrees of separation
The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either 1) a fellow employee or 2) a trusted outside authority (such as law enforcement or an auditor). But if his ultimate goal is to gain information from or about employee X, his first calls or emails might go to a different person.
The old game of six degrees of separation has a few more layers when it comes to crime. According to Sal Lifrieri, a 20-year veteran of the New York City Police Department who now educates companies on social engineering tactics through an organization called Protective Operations, there might be ten steps between a criminal's target and the person he or she can start with in the organization.
"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff. The secretary or receptionist criminals start with might be ten moves away from the person they want to get to."
Lifrieri says criminals use simple ideas to cozy up to more accessible people in an organization in order to get information about people higher up in the hierarchy.
"The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."
2. Learning your corporate language
Every industry has a short hand, according to Lifrieri. A social engineering criminal will study that language and be able to rattle it off with the best of them.
"It's all about surrounding cues," he said. "If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.