This paper examines social engineering as a growing threat to information security, arguing that human vulnerabilities represent a more exploitable weak point than technical system flaws. It surveys key attack methods—pretexting, email phishing, phone phishing (vishing), persuasion, and brute-force hacking—and illustrates their real-world impact through two detailed case studies involving Kevin Mitnick and security auditor Christopher Hadnagy. The paper also reviews relevant legal protections including HIPAA, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, and the Telephone Records and Privacy Protection Act of 2006. It concludes with practical organizational countermeasures, emphasizing that a continued awareness program combining staff training, periodic auditing, and technical safeguards is essential for comprehensive information security.
We are in an age of information explosion, and one of the most critical problems facing us is the security and proper management of information. Advanced hardware and software solutions are being constantly developed and refined to patch any technical loopholes that might allow a hacker attack and prevent consequent breaches of information security. While this technical warfare continues, hackers are now pursuing other vectors of attack.
Social engineering refers to the increasing use of techniques—both technical and non-technical—that focus on exploiting cognitive bias in humans as the weakest link in computer security. What is striking is the fact that, despite the great vulnerability created by human exploitation, a seemingly careless attitude persists in the corporate world. While more and more money is spent on beefing up hardware security and acquiring expensive software solutions, little is done to address social engineering exploits. Although government laws and regulations such as HIPAA, the Sarbanes-Oxley Act (SOX), and the Gramm-Leach-Bliley Act (GLBA) are already in place to protect privacy and information security, it is important that greater awareness be created about social engineering threats. This paper is a brief overview of the various technical and non-technical social engineering techniques and the simple but effective measures that could be implemented to protect end users from social engineers.
Pretexting is defined as "the act of creating an invented scenario to persuade a targeted victim to release information or perform some action" (Hadnagy & Wilson, chap. 4). Social engineers use extensive research to successfully impersonate others and make the target believe in them, thereby inducing the disclosure of vital information. This background research and practice enables the social engineer to present a convincing, seemingly legitimate case. The phone is the most important tool used for pretexting.
The most famous incident of corporate pretexting was the 2006 HP scandal. In that case, Patricia Dunn, then chairwoman of HP, employed security officials who used pretexting to obtain the phone records of HP board members and other employees in order to identify an inside leak. In a court statement, the FTC reported that "the defendants have obtained confidential customer phone records, including lists of calls made and the dates, times, and duration of the calls, and sold them to third parties without the knowledge or consent of the customers" (Greg Sandoval, Feb. 2007). The Telephone Records and Privacy Protection Act of 2006 clearly made it illegal for any person or corporate entity to use fraudulent methods to obtain call records from a telephone company. Violations are punishable by imprisonment of up to ten years.
Phishing attacks are a common form of technical social engineering that use either a website or an email to trick unsuspecting users into surrendering vital information such as bank account numbers or credit card details. Email phishing scams often involve warnings about a breach of account security and ask the customer to re-enter their account details and change their passwords. Typically, a phishing email contains a link to a malicious website designed to resemble the legitimate website of a reputable bank or other business. Unaware users re-enter or update their personal details, which the social engineer then uses to access their accounts (McDowell, 2009).
Phone phishing is a growing trend among social engineers. As more users become aware of the dangers of unsolicited emails, hackers have begun to conduct phishing over the phone. In particular, the availability of low-cost VoIP services has made this medium attractive for fraudulent schemes. Phishing conducted over VoIP is now commonly termed "vishing." Users are sent voice messages that sound legitimately from their bank, informing them that their account has been frozen and asking them to call a specific number to reactivate it. Unwary customers who call the number end up divulging their account details, making the vishing scheme a success (Sonja Ryst, 2006).
Social engineers rely on successful impersonation and persuasion skills to deceive users. They exploit human qualities such as trust, helpfulness, and fear to circumvent technical defenses and gain direct access to confidential information. A skilled social engineer may use both direct and peripheral persuasion routes to induce the victim to provide the required information (Michael Workman, 2007).
With modern computing power, hackers can easily target data servers. By using botnets, they can disrupt normal server services. Today, cracking passwords has become significantly easier: the availability of cloud computing power and clusters of hundreds of virtual machines allows a hacker to break an encrypted password in under twenty minutes using a simple brute-force method—a process that would previously have taken days (Ted Samson, 2011).
Kevin Mitnick is world-renowned for his social engineering exploits and his mastery of elicitation skills. One of his famous exploits involves hacking into the Department of Motor Vehicles (DMV) using refined impersonation and elicitation methods, including intercepting police calls to the DMV. In this self-reported account, which he calls "The Reverse Sting," Mitnick describes through the character of Eric how he successfully penetrated the non-public DMV database and gained access to driver's license numbers of civilians and police officers by combining non-technical and technical social engineering skills.
Eric knew that by posing as a police officer he could access information from the DMV database. However, the first obstacle was finding the unpublished DMV phone number. He obtained it by first calling the telephone information service and asking for the DMV headquarters' public number. To obtain the private number ordinarily used by police, he then called the local sheriff's office asking for the Teletype department's number—the system through which police send and receive information. He called that Teletype number and asked for the number police officers would use to contact DMV headquarters. When questioned "Who are you?" he swiftly responded with a name and an internal reference. Because he already had the non-public Teletype number and correctly cited the base DMV numbers, the Teletype receptionist assumed he was an internal caller and provided the number.
Using that number, Eric called the DMV and, posing as a Nortel technical support representative, asked to speak with a DMV technician. He informed the technician that Nortel was updating all DMS-100 switches and that the process could be completed entirely online, for which he would need the dial-in number to the DMS-100 switchboard. The request sounded entirely plausible, and the technician promptly provided the number. Drawing on his prior experience with Nortel equipment and testing standard passwords, Eric quickly broke into the system and gained access to nineteen dedicated lines.
He then intercepted one of these incoming lines and routed it to his cell phone, allowing him to receive all calls coming in on that line. Law enforcement officers routinely began calling him to request details on various license numbers. Through a simple combination of non-technical elicitation and technical knowledge, he successfully penetrated a strictly confidential government database (Hadnagy, chap. 8).
Christopher Hadnagy, author of Social Engineering: The Art of Human Hacking, recounts his personal experience as a social engineering auditor for a medium-sized printing company in the United States. The audit was commissioned to persuade the CEO to invest in security systems, which he had resisted, believing that all proprietary processes and confidential information were well protected because he made limited use of technology. Over the phone, the CEO had emphatically rejected the need for additional security, declaring that "hacking him would be next to impossible because he guarded these secrets with his life" (Hadnagy, chap. 8).
Hadnagy, as the auditor, used an information-aggregating tool called Maltego and quickly gathered useful data: the company's IP address, mail servers, phone numbers, physical address, and employee names and titles. Running a metadata transform in Maltego produced additional files containing dates and creator information. One file named InvoiceApril.xls stood out. Its contents indicated it was an invoice for a marketing event organized by a local bank. Hadnagy immediately called the bank, posing as a representative from the printing firm's accounts department, and learned that the event was the bank's annual Children's Cancer Fund Drive.
Hadnagy then gathered personal background information about the CEO: his hometown in New York, his preferred restaurant (Domingoes), his love of Mets games, and his top three favorite dishes. Armed with this intelligence, he called the CEO and described a small fundraiser in support of children's cancer research, noting that the raffle prize was two tickets to a Mets game and dinner at Domingoes—both among the CEO's favorites. In doing so, Hadnagy was pulling the CEO's emotional strings, using the gathered information to make the conversation feel personal and credible. Hadnagy had already prepared a malicious PDF file embedded with scripts that would grant him full access to the CEO's computer. The CEO did indeed fall for this straightforward approach: he provided his email address and opened the malicious PDF, giving Hadnagy complete access to his computer and the connected servers (Hadnagy, chap. 8).
"HIPAA, SOX, GLBA, and phone privacy law overview"
"Staff training, auditing, and technical safeguard recommendations"
There is a gaping hole in information security provisions. While more money and time is invested in strengthening technical security solutions, there is an alarmingly large neglect of human vectors for social engineering attacks. Non-technical social engineering methods are gaining in popularity as hackers increasingly focus on the soft target of human weakness in their efforts to breach IT security. Using a variety of simple methods—pretexting, dumpster diving, phishing, and others—social engineers are able to penetrate security defenses and achieve their malicious objectives.
You’re 61% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.