Smart criminals understand their success hinges on choosing the right opportunity to exploit a specific weakness. That’s why burglars avoid homes with alarm systems, car thieves look for unlocked vehicles, and muggers don’t attack those wearing a white robe and a black belt.
In other words, they go after the “lowest hanging fruit.”
Similarly, criminals who use social engineering tactics seek opportunities to employ their unique methods of manipulation and deception to exploit the weakest link of the security chain. For the social engineer, that weak link usually is the organization’s own people and procedures.
Unlike traditional security threats that can be thwarted with physical or electronic security precautions, social engineering tactics exploit the fundamentals of human nature: Our natural tendency to help others, our desire to avoid conflict, our fear of making mistakes, and our fear of getting ourselves or others in trouble.
In fact, professional social engineers are literally betting that their natural ability to manipulate basic human traits will create opportunities to turn targets into unwitting accomplices.
Seasoned social engineers know exactly whom to target. Although top executives may have direct access to the most valuable information within the organization, social engineers realize it’s much more complex and time-consuming to directly compromise executives.
Instead, they set their sites on low- and mid-level employees. Receptionists, cleaning crews, tellers, and even managers of remote locations are all attractive targets to a smart social engineer. After all, these employees typically have limited security awareness training and might be more susceptible to manipulation and deception.
These staff positions also could provide criminals with access to sensitive areas during off-peak hours, when the chance of being exposed is significantly lower.
Next: Characteristics of a weak security chain