by Alex Kelley

Created on: September 11, 2009

What exactly is social engineering? The term has been used extensively in the past few years, but still its meaning still eludes many people.

In general, social engineering refers to the acquisition of information about other people through means of social networking, rather than through high-level technical processes, while taking advantage of inherent trust, complacency, or desire to be helpful.

For instance, if Sam asks John some seemingly innocent but rather personal details about Mike (is he married? in which part of the town does he live?) during a say happy hour at the bar near their office, that's social engineering. Now, truth be told, all of us do this at least every once in a while it's called blabbering, or gossip. It really only becomes social engineering when one has hidden reasons in finding out all this information.

Here are a few more examples to help you understand better what represents social engineering and what to do to limit the damage to which you are exposed.

Shoulder surfing: When you are typing up your password on your (work) computer, take a quick look around to see whether anybody is a little too interested in the movement of your fingers on the keyboard. A step further is represented by the actual search for a piece of paper with the desired information; although usually employees are strongly discouraged from writing down their access passwords, there are always at least a few people that will write their pass strings in their desk drawers, at the back of an agenda, or simply stick a post-it on their monitor.

Dumpster diving is another technique for social engineering, though not as social. It involves gathering information from somebody's discarded documents. The goal is to find something useful: bank account number, a password or user name, an important note and so on.

Mail tampering can be done internally, inside a company, as well as outside in which case it represents a federal crime. In spite of this, mail can often uncover important pieces of information about a person's existence: call details, bank statements, or just regular correspondence, not to mention pay slips or confidential internal communication.

Impersonation, or pretexting, involves interaction, either via the phone, e-mail or in person. This technique represents a step up from the plainer methods described above and requires the social engineer to use some information about his intended victim in order to pass as somebody else (sometimes even the victim) and gather more data. Remember e-mails that tell you to click here, then insert your user name and password so that we know your account is still active? That is phishing for information but it's based on impersonation. Or I can make a phone call to Mary at work, say that I am her sister from another state, then ask some personal question (what time is she coming to the office, so that I know when she leaves the house, and so on).

There can be many variations to these basic techniques. It is important to understand that social engineering is mainly a form of exploiting natural actions, like throwing away a piece of paper that we no longer need, or chatting with friends and telling them about current life or job events.

Learn more about this author, Alex Kelley.
Click here to send this author comments or questions.