Social engineering is a means by which information is extracted, usually verbally, by someone impersonating a legitimate holder or user of the information in question. Social engineering will often take place over the telephone; here are some examples :-
- A 'senior member of staff' calls the IT support desk in a 'great hurry' and has forgotten their password (and they need it now!)
- A 'secretary' calls to inform that their superior needs to access some information urgently but has forgotten the 'new' password.
- A 'telephone engineer' calls to request details of the access number to the computer system as they have received a fault log and they need to 'test it'.
- In response to a request from a 'colleague' to speak to Ms X, they are advised that she is away for 3 days on business. To the caller, this knowledge is indicative that Ms X's logon account to the system is unlikely to be used during this period.
*** The Information Security Glossary ***