‘Social engineering’, in the context of information security refers to the psychological manipulation of people into performing actions or divulging confidential information. In other words, it’s a type of confidence trick for the purpose of information gathering, fraud, or system access.
An example of this is the recently reported case of a manufacturing business that became suspicious after a major competitor released a piece of equipment that had many similarities to one of its own.
An investigation revealed that one of their engineers had been searching for a new job and had exchanged emails with that a ‘recruiter’, using LinkedIn. At some point in that exchange, the recruiter sent the engineer an ‘employee position listing’ document that, unbeknown to him, contained malware.
When opened, the malware installed a ‘backdoor’ on the engineer’s employers computer system, which enabled the attackers to search the data held on that system and collect (i.e. steal) data from network file servers. The data stolen included the blueprints for the equipment that was subsequently obtained by the competitor business.
Where do many people look for new employment opportunities? Social media, in particular LinkedIn. And where do many social engineering attacks start? Social media.
In this case makes the attackers found a good target (the engineer) and built trust with him via a fake recruitment profile. That innocent but misplaced trust greatly harmed his employers, even thought that was not his intention.
There’s no doubt that focused data protection training should have stopped this attack from occurring: If the engineer had been aware of the threats posed by fake recruiters on social media, then he may have thought twice before downloading a document onto a PC that had access to his company’s valuable intellectual property.
This article is intended for informational purposes only and should not be relied upon as legal advice.