Let’s talk about social engineering. In the context of information security, it is defined as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
In today’s world, this means manipulating someone at an arms-length by collecting data from an individual’s social media accounts.
Think: posting a work schedule online, “checking in” at a local coffee shop every day at 11am during a break time, sharing pictures with a security badge visible, etc.
Most times, the person posting doesn’t even realize the information could be considered sensitive and could be sourced by opportunistic criminals. Criminals have become savvy and can use social media to gain intel about a company, an organization, or an individual.
Here’s an example:
An individual starts a new job as a Security Guard at an office headquarters. He makes the following posts, simply wanting to share his life online:
- He posts on Instagram, “Starting my new job at ErucesSecurity” including an image with his brand-new employee’s badge.
- A couple weeks later, the employee posts a picture while at work, an empty building, with a caption that reads, “Always slow on a Friday night… I wonder why!”
- Perhaps after more time has passed, he mentions something about his boss, “The look I give my boss when they make me stay late by myself…”
As you can likely see, the employee unknowingly has presented an opportunity to take advantage of a slow night on the job. Criminals looking to break into his area of work to steal product, files, or pose an attack, would use this information for what is known as Social Engineering.
No one ever suspects they would be a target for a hacker or a cyber-attack, but depending on their role within a company, they could easily be the target of this common practice.
If you’d like to see a case study on social engineering, click here.