Social engineering, according to Quest Software, can be defined as the technique of using deception and manipulation to gain sufficient knowledge to dupe an unwary individual, employee or company.
For example, the Windows Event Viewer scam involved telemarketers calling people, telling them they have a virus and requesting the recipient's authority to run a Windows program called Event Viewer in order to fix 'so-called' bugs in the operating system. Other callers claim they can remove the virus for a fee and ask for people's credit card details.
In this series, Computerworld Australia examines some of the information security threats facing small businesses and larger enterprises today. We've looked at internal negligence and continue the series by speaking to experts about the problem of social engineering.
The threat of social engineering
Scammers have called people posing as a member of their company's IT department and named the person's boss in order to gain their trust, according to Sophos Asia Pacific director, Rob Forsyth.
"So if the 'IT department' rang and said that Pete [not his real name] has told them your computer was having a problem and they had been asked to fix it, would you do their bidding?," he asks. "Social engineering is the major tool used by criminals to build trust and undermine security."
Check Point Software Technologies Australia and New Zealand managing director, Scott McKinnel, says social engineering is such a large threat because it utilises the invariability and flaws in human nature.
"Social engineering is so dangerous because it takes advantage of the one fallible part of any access point-- human users," he says.
He adds that people are naturally curious and will click on a uniform resource locater [URL] and download attachments without always thinking about security.
"What makes social engineering so cunning is that it takes advantage of human behaviour and is often disguised as something a person is expecting to receive in their daily working life such as a link or attachment directly to a work email address."
In a business environment, employees' machines are supposed to be protected by an antivirus solution so that even if social engineering works the network will remain safe, according to Bitdefender chief security research officer, Catalin Cosoi.
"Social engineering can overcome this obstacle too, as in some cases carefully crafted messages will attempt to persuade the victim to disable the solution that protects a computer. It's a highly adaptive threat, constantly changing shape and baits," he says.
Extent of the threat
Once someone has control of the employee's computer, it is a much easier task to begin to mine data and dig deeper into company systems, according to Sophos' Forsyth.
Sign up for Computerworld eNewsletters.