How to Coach Yourself and Others Beware of Manipulation | Page 186

Emergency
When we are faced with a crisis we typically look around for help. The social engineer might thus
create or fake an emergency or some other pretext, from customer issues to computer crashes. They
can then step in as the rescuing hero, although to save the day they do want you to give them that little
bit of extra help - that password or downloading a special patch - that enables the rescue and gives
them what they want.
And...
Other techniques include:
•Recording your 'hold' music and using it back on you (creating familiarity).
•Tell you your personal credit rating is at risk or otherwise create individual fear.
•Phone spoofing: so the call number you see is not the real source number used
•Dumpster diving: going through your trash for information.
•Phishing: Sending fake emails that request details and links to 'lookalike' trick sites.
•Shoulder surfing: Watching you enter key details.
•Remote imaging: Using high-resolution cameras from a distance to capture key information.
•Auditing: Acting like an auditor - in person too.
•Dig elsewhere: on Facebook, in the bar around the corner, on your website,
etc.
Covering tracks
A critical task for the social engineer is to avoid detection. Before the event this could mean
information is refused. Afterwards it could lead to prison. Thus they seldom appear in person,
preferring the more anonymous phone or email. Pay-as-you-go phones are bought (for cash) and
destroyed afterwards. Even voice-tone shifters may be used if there is risk of recording.
Done well, however, nobody ever knows that the social engineer was ever there. To the people they
spoke to, they were just another caller in a non-stop stream, although perhaps just a bit nicer than the
run-of-the-mill grumpy voice.
Defending against it
Social engineers know many more tricks than those discussed here. They get around robust firewalls
and other security by exploiting the weakness of human nature.
If you want to defend against what can be highly damaging and criminal activities, then the first line of
is a good education about social engineering and the methods used.
It can also help to perform a serious analysis of processes and procedures around security management,
checking methods by which secure information is supplied and how often it is assessed and revised.
This should be coupled with assessment and trial attacks to prove that the education has worked. If the
attacks succeed, do not blame the people -- it simply means your education was not good enough, so
redouble your efforts to make your people proof to these pernicious problems.

185