Social engineering stories
Like good movies, a successful social engineering scam usually leaves both the perpetrator, and the victim, with an impression they'll never forget. We spoke to security experts about memorable social engineering stories.
By Joan Goodchild , Senior Editor
May 24, 2010 — CSO —
Winn Schwartau has been writing, lecturing and consulting on security for more than 25 years. The founder of The Security Awareness Company says while technology has changed, the most influential factor in security has not—the employee or end user.
"We don't touch networks, we touch people," says Schwartau. "Because, in the end, the weakest link in all of this stuff is the person at the keyboard."
Schwartau says security managers are up against a combination of ignorance, apathy and arrogance when it comes to individual awareness.
"One thing we've recognized over the last several years is the user doesn't care about the company. He cares about his paycheck, his review, his incremental raises," he explained. "A lot of companies claim to have some kind of policies about user behavior, but given the political correctness of the world, even if you have a policy that says 'Don't do this or you'll pay the piper', generally the piper doesn't get paid."
Schwartau ran through some memorable moments he's encountered in his decades consulting in security awareness training. Social engineering, he says, has new players and forms, but the underlying techniques usually remain the same.
Social engineering story 1:
The postman rings, security pays the price
Winn Schwartau: We had been hired by a large financial services firm in New York to do security awareness training. We wanted to do an assessment of where people were with awareness based upon all of the training and policies they had going on prior to our involvement with them. So we created a social engineering test.
It was not the traditional 'call someone on the phone and try to social engineer them.' What we did is take their letterhead and write a letter. We sent it through regular mail to about 30 percent of the employees. Approximately 1200 people. The letter said essentially: "Hi, we're from corporate information security. The reason you are receiving this letter is because we know social engineering occurs at work and we are going to upgrade our systems. We then went into some detailed technical babble about how we were going to migrate this data base to this and a lot of stuff the average person is just not going to understand.
It went on to say "We know you're concerned about security and that is the reason for this letter. We don't want you to communicate any of this information over anything but mail, because that is the only secure way to do this. We need your personal details on the following things so we can transfer them into the system and verify them for accuracy because we've been having trouble with databases in this transition."