Social Engineering

The term "social engineering" refers to schemes employed to acquire sensitive information stored on a computer. The fraudster tricks someone with valid access to a computer system into allowing the social engineer improper and unlawful entry into systems and files.

Social Engineering relies on the unjustified trust and helpfulness of those with valid access to information and systems. It also takes advantage of confusion caused by an ever-changing technological environment and on the failure of those with valid access to information to understand the value of the information and the harm that a social engineer can cause by using illegally acquired information.

A typical social engineering scheme would involve the wrongdoer posing as a member of an organization’s IT staff. He or she would, for example, call random numbers at a company claiming to be calling back from technical support. Eventually the perpetrator will connect with an employee who happens to have a legitimate problem and who is grateful that someone is calling back to help. The social engineer will "help" solve the problem and in the process have the employee divulge his or her password or type commands that give the malefactor access to the system. The social engineer is the con man of the twenty-first century.

Before divulging what might be confidential, sensitive or privileged information a government employee should ask:

Should this information be released to the public and, if so, under what circumstances and with what controls?
Has the person requesting information been properly identified and is that person entitled to receive the information?
Can the information be inappropriately used to access other records, gain entry to secure systems, or cause harm to the government or citizens?

Governments must be vigilant in their efforts to safeguard the considerable amount of sensitive information that is in their possession. Such efforts include:

Developing protocols for dealing with information requests.
Practicing "Professional Skepticism."
Deciding which information in their possession is confidential or sensitive.
Telling employees which information is confidential or sensitive.
Training employees to verify the identity of anyone who requests confidential or sensitive information.
Periodically testing all aspects of system security, including the reactions of employees to requests for confidential or sensitive information.

Here is an example of how social engineering has been used to defraud governments:

A multi-million dollar, international fraud and money laundering scheme targeted vendors of state governments from West Virginia, Kansas and Ohio, as well as the Commonwealth of Massachusetts, which resulted in the diversion of $3.379 million in state payments routed to fraudulent bank accounts.

The fraudsters were able to hijack legitimate vendor payments using information acquired through the Internet and other areas to complete direct deposit authorization forms for deposits to fraudulent accounts that appeared to belong to major government vendors. The fraudsters:

Targeted state vendors that routinely received significant payments.
Created phony entities with names similar to the legitimate vendors.
Produced fraudulent bank accounts in the names of the targeted vendors.
Mailed authorization forms and voided starter checks from fraudulent accounts.
The unsuspecting states sent the payments to the fraudulent bank accounts.