Social engineering

Social engineering, in the context of information security, refers to psychologi

cal manipulation of people into performing actions or divulging confidential inf
ormation. A type of confidence trick for the purpose of information gathering, f
raud, or system access, it differs from a traditional "con" in that it is often
one of many steps in a more complex fraud scheme.
The term "social engineering" as an act of psychological manipulation is also as
sociated with the social sciences, but its usage has caught on among computer an
d information security professionals.
Techniques and terms
All social engineering techniques are based on specific attributes of human deci
sion-making known as cognitive biases.[2] These biases, sometimes called "bugs i
n the human hardware", are exploited in various combinations to create attack te
chniques, some of which are listed. The attacks used in social engineering can b
e used to steal employees' confidential information. The most common type of soc
ial engineering happens over the phone. Other examples of social engineering att
acks are criminals posing as exterminators, fire marshals and technicians to go
unnoticed as they steal company secrets.
One example of social engineering is an individual who walks into a building and
posts an official-looking announcement to the company bulletin that says the nu
mber for the help desk has changed. So, when employees call for help the individ
ual asks them for their passwords and IDs thereby gaining the ability to access
the company's private information. Another example of social engineering would b
e that the hacker contacts the target on a social networking site and starts a c
onversation with the target. Slowly and gradually, the hacker gains trust of the
target and then uses it to get access to sensitive information like password or
bank account details
Pretexting
Pretexting (adj. pretextual), also known in the UK as blagging or bohoing, is th
e act of creating and using an invented scenario (the pretext) to engage a targe
ted victim in a manner that increases the chance the victim will divulge informa
tion or perform actions that would be unlikely in ordinary circumstances.[4] An
elaborate lie, it most often involves some prior research or setup and the use o
f this information for impersonation (e.g., date of birth, Social Security numbe
r, last bill amount) to establish legitimacy in the mind of the target.[5]
This technique can be used to fool a business into disclosing customer informati
on as well as by private investigators to obtain telephone records, utility reco
rds, banking records and other information directly from company service represe
ntatives.[6] The information can then be used to establish even greater legitima
cy under tougher questioning with a manager, e.g., to make account changes, get
specific balances, etc.
Pretexting can also be used to impersonate co-workers, police, bank, tax authori
ties, clergy, insurance investigators or any other individual who could have perce
ived authority or right-to-know in the mind of the targeted victim. The pretexte
r must simply prepare answers to questions that might be asked by the victim. In
some cases, all that is needed is a voice that sounds authoritative, an earnest
tone, and an ability to think on one's feet to create a pretextual scenario.