You’ll arrive in this airport lounge any moment. Between flights, hundreds of senior managers and other important people stop in for a drink. I’ll know about you from the tag on your briefcase, which contains your business card. Even before I approach you, I’ll know your name, title, and company. I’m delighted to learn that you work for a big insurer. We must talk.

I’m what security experts call a “social engineer.” Using devious methods, I obtain confidential information from unwitting sources. I can sell it to your competitors and anyone else who’s prepared to pay for it. While I concentrate on covert information gathering, I might also get involved in other criminal activities including investment scams and fencing stolen goods.

But don’t assume that all social engineering is illegal. Idle curiosity and the love of gossip turn many of us into social engineers. To a professional like me, however, prying corporate secrets out of unsuspecting strangers can be profitable. It’s safe: you rarely see my kind in court, unless we’re charged with other offences such as fraud. In fact many of my victims are too embarrassed to admit that they’ve been “engineered.” Nobody enjoys looking like a sucker.

Why are you my target? Because someone in your high-powered position probably has access to much valuable information. You can tell me about the “six Ps” of your company: plans, projects, products, prices, purchases, and personnel. Your competitors would love to know the marketing strategy for your company’s new products, and when you plan to release that new homeowner policy. What’s the premium? And what about the new software packages that you’re developing to manage your customer service department? Who will you hire to run your projects, manage your databases, and handle that big merger?

Think of it this way: you’d be delighted to have this information about your competition, wouldn’t you? Now you understand why your competition would like to know about you, and why certain persons who work for your competitors would be happy to pay a social engineer to dig up useful intelligence about your own company’s six Ps. You also realize why social engineers engage in unethical behavior.

I’ll look for you in different public places. Bars and restaurants are hotspots for social engineering, as are convention halls and trade fairs. Airports, train stations, and bus depots are traditional favorites, partly because travelers must display their identification freely to enter departure areas. (That’s a fine passport photo, by the way. It really captures your character.) Any lobby, waiting room, or Starbucks could be a base for my operations. These are natural places for people to meet and talk, exchange views, gossip, and information concerning your company’s buyout of an American insurer with substantial Asian assets. Hi there!

Successful engineering starts with an effective opening line. Simplicity and fluency are essential. Ideally I’ll manipulate you into an extended conversation that begins innocently and moves into confidential matters before you realize it. Let’s say that I see you checking for messages on your BlackBerry. Here’s my opening:

“Do you mind if I ask you if you like using that thing? It’s like a handheld PC, isn’t it?”

Yes, it is.

“What can you store on a device like that? I mean, can you carry statistics and that kind of thing?”

Yes, you can.

“But isn’t it hard to read that stuff on such a tiny screen?”

No, not as hard as you think. Look at these data concerning my company’s new products.

“Hey, you can see the projected sales figures really clearly.”

You can. And just look at the way that we’ve organized the figures for New York.

“Look at that! That’s amazing. You got time for a cup of coffee? I’d like to check out that machine a bit more. There’s a Starbucks around the corner.”

And for a cup of coffee, you find yourself sharing sensitive information with a stranger about whom you know nothing. You’re won over by his enthusiasm and apparent naiveté, which inspires you to show him information that you might not share with even your closest associates. Does this sound farfetched? In fact it’s an approach that a social engineer used recently at airports in Vancouver and Calgary, and at a conference in Banff. It’s hardly original. In the world of social engineering, it’s equivalent to “Do you come here often?” in a nightclub.

Engineering victims are often highly intelligent people who are amazed that somebody they met in an airport persuaded them to reveal confidential information. How could they trust somebody they barely know? While we might not want to admit it, most of us are too easily disposed to trust strangers, especially when they tell us intriguing stories about themselves. They can be convincing and dramatic. Often they open their bogus autobiography with statements that pique your curiosity. For example:

“I’ve had a hard life.”

I’m compassionate. Tell me more.

“After I left Harvard, I didn’t know what to do with myself.”

My company employs several Harvard grads in management positions. A person with your education and background must be trustworthy.

“My family was rich, but money isn’t everything.”

An idealist! You’d never stoop to dirty practices, would you?

“I represent a number of offshore interests.”

A well-traveled Ivy League idealist who might know several of the senior managers in my company. Here’s somebody who deserves trust.

“They gave me a medal for what I did in Iraq, but that’s another story that I don’t want to talk about now. It’s too painful.”

I’m sorry. Perhaps we should stick to the sensitive report on claims management that nobody except my CEO has read. Then you could tell me about your adventures in the Middle East. A hero, too!

Meanwhile, the liquor flows. It loosens your tongue and makes you say things that you shouldn’t. It also forces you to answer nature’s call. When you leave the table to visit the washroom, you might neglect to take along your briefcase, laptop, or BlackBerry. But that Harvard grad with the Iraq medal seems so dependable. You don’t start to worry until you return to find that your drinking partner has disappeared with everything you left behind. This includes the reports that were for the eyes of your senior managers only.

Even more embarrassing is the admission that you indulged in illicit substances with the stranger who stole your information. The Harvard hero offers you marijuana or cocaine. If you accept, you’re taking a big risk. Dope can be much stronger than you expect, and it can lower your defenses even faster than scotch. You might hand over confidential files without even realizing what you’re doing. Worse, you could wake up in a strange place without your wallet, passport, and briefcase. It happens frequently. To avoid bad press, companies avoid making a police report. You understand why social engineers get away with so much.

Another engineering tool is the phoney celebrity contact. You’re great company, especially when you reveal the dates of your upcoming product releases. Perhaps you’d like to join Mick Jagger and me for a drink next week? He’s coming to town with Lady Gaga to do a charity concert. You haven’t heard about it? Well, it’s pretty exclusive. Only the right people are invited. Say, those new products: what kind of premium structure are you looking at? It’s confidential, but I’m curious. We won’t have a chance to talk about it when the music starts. I’ll make sure that you get a ticket.

Sometimes the engineer claims to be a celebrity himself. He might claim to be the author of a book that’s about to be published. It will reveal the truth about Wall Street. Or Microsoft. Or the pharmaceutical industry. Would you like a signed copy, and to join the special group of insiders who find out about these things before anybody else? Social engineers are adept at making you feel privileged and exclusive. You might want to return the favor by revealing something that only the senior management of your company should know. To make themselves even more interesting, engineers tempt you with attractive offers that you’d never expect.

How can you protect yourself and your company? Staff orientation is the most effective way to ward off social engineering attempts. Make all employees aware of the risk, and inform them about the engineer’s techniques. Remember that any employee could be a target, from the CEO to the young person in the mailroom who opens and distributes sensitive letters, proposals, and reports. Your receptionist can be especially vulnerable, since he or she knows who’s in your building and has a good idea of why they’re there. The receptionist might also be in charge of a corporate fax machine and every piece of correspondence that arrives in its tray.

Forewarned is forearmed, but employees should also be encouraged to tell their managers about any attempt at social engineering. Any employee can attract an engineer, so it’s wise to be vigilant.

Because I’m still waiting for you, and we're bound to cross paths.