Social Engineering

Social engineering attacks take advantage of people's helpfulness, credulity or lack of self confidence in order to gain access to confidential data or to prompt them to perform certain actions, for example. Of all the forms of attack, this is still one of the most successful. An attacker can use social engineering, for example, to gain access to the user names and passwords of company staff by pretending to be a system administrator or manager on the phone. By alleging to acute computer problems and showing knowledge of the business (e.g. supervisor's name, work flows, etc) the victim is unnerved until he/she discloses the desired information.

Social engineering methods are often used to spread viruses and Trojan horses, e.g. if the name of an e-mail attachment with a virus promises a particularly interesting content (e.g. « I love you », « Anna Kournikova », etc.) Phishing is also a special form of social engineering attack.

Effects and risks

Disclosure of confidential information
Fraud
Spreading of viruses and Trojan horses

Measures
Publish on the internet only as much information as nessessary. This is especially valid for companies and the publication of names und functions of employees. Be also reserved, when somebody asks you for such information on the phone. Caution when passing on information No confidential information (e.g. username, password, etc.) should be revealed to others, even over the phone. If someone insists, report this to your supervisor, the system manager or the service provider, (e.g. bank, Internet service provider, etc.). No serious service provider would ask you for a password.