Private-sector organizations are often the targets of social engineering attacks. They tend to be less well protected from social engineering attacks than governmental organizations. For this reason, foreign governments as well as competitors often target them.

Consider the case of Acme Software, a large technology firm. They produce software-based firewall and email encryption solutions for home and business use.

Late one Monday afternoon, Janice, an administrative assistant, receives a telephone call from a man who says that his name is “Ed” and that he works in the marketing department. Ed tells Janice that he is working on the marketing collateral for the big trade show next month and needs to know the major features for the new line of encryption software. Being helpful and providing information is a big part of Janice’s job, so she knows right where to find the documentation on the new software. She reads off a list of features to Ed, who thanks her profusely for saving him a lot of time on this project.

A few days later, Ed makes another phone call, this time to a programmer on the encryption team. He tells the programmer the same story—that he is from marketing and is working on materials for the trade show—and asks the programmer to explain one of the most technical features from the list he got from Janice. The programmer begins to explain it, and Ed asks questions that clearly demonstrate that he does not understand the technology. As the programmer’s frustration grows, Ed suggests that it might be easier if he could just play with a copy of the software. The programmer, at this point eager to get Ed off the phone, agrees. Ed tells the programmer that he’s actually working from home and doesn’t have his corporate laptop, and asks him to just send the files to his personal email address instead. The programmer agrees and sends an email with a copy of the software to Ed’s personal email account.

Unfortunately, Ed is actually a corporate spy working for a foreign government. The U.S. government forbids the export to that country of the kind of encryption technology used in the software in question, but the programmer had no idea he was breaking any laws. He was just trying to get “marketing” off the phone so he could get back to work on his code. The ultimate weakness in this scenario was the employees’ tunnel vision. They knew their jobs very well but did not relate their positions to the larger organization. Janice knew that her job was to be helpful, but she did not stop to question whom she was helping. The programmer did not connect the fact that he was working on highly sensitive code to the possibility that he could become the target of a social engineering attack. Better security awareness on all levels of the organization would have prevented this attack.

University networks are often targets of information theft because they hold valuable information and are accessed by people with minimal—if any—security training. Consider this scenario:

Michelle is a first-year, early childhood education student attending the state university. Monday morning at 7:30 a.m., her phone rings. On the other end of the line is someone claiming to be from Campus Information Security. He tells her they have been monitoring the data usage from her room and have noticed a spike in file transfers over the past week.

Michelle is initially confused, having suddenly been woken up by the phone and unfamiliar with the terms “file transfer” and “data usage.” The man on the line asks her how long she has been operating an illegal file-sharing server from her room and informs her that such activity is a violation of university policy. She could be expelled from school and face stiff civil fines, as well as possible jail time.

Fully awake now, Michelle protests. She hasn’t been running a file server from her room; there must be some mistake. At first, the man on the phone seems unconvinced, but as Michelle pleads her innocence and ignorance of the issue, he backs down and suggests that she must have a virus that’s causing the increased file transfer rate. He’ll need to log onto her system to run a diagnostic check and clean out the virus, and to do so he’ll need her username and password.

Relieved that he is no longer threatening her with expulsion, fines, and jail time, Michelle agrees and gives him her information. He tells her to give him a couple of hours to work on things, and he’ll erase the virus and make a note in his files.

The social engineer who targeted Michelle spends the next couple of hours using her account to explore the university’s network and break into more sensitive areas than Michelle has access to.

In this case, the hacker exploited two crucial things: ignorance and fear. First, he targeted a first-year student who was unlikely to have any experience or knowledge of information security. He didn’t choose a computer science major, he chose a budding preschool teacher. Second, he bullied her until she was clearly upset then changed tactics and became helpful. He also chose to contact her at a time when she was most likely to be groggy. When people are first awoken, they tend to react to situations more emotionally than they would when fully awake. No one thinks calmly and rationally when woken out of a deep sleep.

The solution to this problem is education. Had the university simply made information security a part of its freshman orientation and emphasized that no one from the university will ever ask for a student’s password, Michelle would have had a good chance of recognizing that something about the call wasn’t right.

Infrastructure facilities usually have strong physical security. They are surrounded by barbed wire and have security guards at every entrance. Those guards are highly trained and aware of the important role they play in keeping things running smoothly, but they are still human and prone to very understandable mistakes.

James was a third-shift guard at a nuclear power plant. He took his job seriously, dividing his time between watching the surveillance monitors in the security office and walking the hallways in his area looking for anything out of the ordinary.

One cold night in January, around 2:00 a.m., he heard voices down the hallway that led to the control room. He hurried to the source of the sound and discovered two young men. He asked to see their ID badges, which they claimed they forgot. They told him they were new employees and gave the name of their manager. James escorted them back to the security office, where he placed a call to the manager, waking her up. The manager confirmed that she does have two new employees and confirmed their names then asked to talk to the two men.

James handed over the phone and listened as one of the young men explained to the manager that he was just in early to finish some paperwork he didn’t do the night before and confirmed that he would have a presentation ready for the staff meeting later that day. Then the young man hung up the phone, apologized to James for all the trouble, and explained how he was new and didn’t want to get in trouble for not getting this paperwork done. James let the two men go.

James had expected to get the phone back to get a final okay from the manger. He had already woken her up once, so he didn’t want to call back and risk getting in trouble. A few minutes after the two men left the security office, the manager called back and informed James that she had no idea who the two men were; they were definitely not her employees. She had tried to ask questions, but the man on the phone simply ignored her and talked about paperwork and staff meetings. Of course, by the time James found this out and began looking for the two young men, they had already found what they were looking for and left the premises.

The weakness in this situation was the security guard’s natural fear of angering someone higher up the organizational chart than himself. No one likes being woken up at 2:00 a.m.—especially twice in one night. The solution to this problem is to educate everyone in an organization—managers and employees alike—on the importance of security protocols. If James had felt more certain that as long as he was doing his job he was safe from repercussions, he would not have hesitated to call the manager back and would have caught the two young men in their scam.