What is Impersonation in Social Engineering? - Sunwest Bank
Important Articles

Paycheck Protection Program Guide

What Are Port-Out Scams?

Understanding Wiring Fraud

Strength in Numbers

2020 Financial Highlights

A Fortress Balance Sheet

Welcome Back


 

What is Impersonation in Social Engineering?

Home > Security Tips  > Information Security Awareness  > What is Impersonation in Social Engineering?
Social Engineering: The Ultimate Con

02 Mar What is Impersonation in Social Engineering?

Posted at 16:21h in Information Security Awareness, Security Tips by

No matter how secure a system is, there’s always a way to break in. Hackers and malicious social engineers are turning to the weakest part of the infrastructure – the people  – who are often the easiest to manipulate and deceive. 

Impersonation is one of several social engineering tools used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft. Impersonation differs from other forms of social engineering because it occurs in person, rather than over the phone or through email.

The social engineer “impersonates” or plays the role of someone you are likely to trust or obey convincingly enough to fool you into allowing access to your office, to information, or to your information systems. This type of social engineering plays on our natural tendencies to believe that people are who they say they are, and to follow instructions when asked by an authority figure. It involves the conscious manipulation of a victim to obtain information without the individual realizing that a security breach is occurring.

Impersonation requires a lot of preparation, so it occurs less often than other forms of social engineering. Social engineers prefer the more anonymous phone or email approach over appearing in person. Done well, however, nobody ever knows that the impersonator was ever there. To the people they spoke to, they were just another individual in a non-stop stream, although perhaps just a bit nicer than the run-of-the-mill grump.

Roles of the impersonator

Some common roles that may be played in impersonation attacks include: a repairman, a meter reader, IT support, a manager, a trusted third party (an auditor, for example), or a fellow employee. Most of these roles fall under the category of someone with authority, which leads us to ingratiation. Most people want to help, so they will bend over backwards to provide the required information (or access) to anyone with authority.

These tricks work because we all regularly interact with people we don’t know. It’s human nature to trust credentials – a badge or a uniform – but they can be forged. We trust uniforms, even though we know that anyone can wear one. And when we visit a website, for example, we use the professional appearance of the page to judge whether or not it’s really legitimate — never mind that anyone can cut and paste graphics. In the same way, we have a tendency to automatically trust someone in authority.

Common social engineering roles:

  • Posing as a fellow employee
  • An employee of a vendor or partner company, or auditor
  • As a new employee requesting help
  • Pretending to be from a remote office and asking for email access locally
  • As someone in authority
  • A system manufacturer offering a system update or patch

Impersonators do their homework
Impersonation works best when the social engineer gives a convincing performance, complete with the proper technical jargon or other insider information. Impersonators do their homework. They come armed with:

  • A uniform
  • An ID badge
  • A fake or forged business card
  • Insider information
  • Names and details about employees

Once inside the building, impersonators will look for opportunities to:

  • Learn more about the organization and its employees
  • Eavesdrop on employee conversations
  • Shoulder surf to uncover passwords or pins
  • Steal documents, equipment, or other items of value
  • Gain access to computers, copy or fax machines
  • Sabotage the network

There are some warning signs of an attack. Pay special attention to:

  • Out-of-ordinary requests
  • Claims of authority
  • Stressed urgency
  • Threats of negative consequences of non-compliance
  • Displays of discomfort when questioned
  • Name dropping
  • Compliments or flattery
  • Flirting

Before releasing any information to anyone, it’s essential to at least establish:

  • the sensitivity of the information
  • your authority to exchange or release the information
  • the real identity of the third party (positive identification)
  • the purpose of the exchange

Countermeasures for impersonation attempts
Verification is the key.  A social engineer’s goal is to fit in with the crowd – to look like someone who should be there.  They may be disguised as any number of people who frequent your organization and, because they look like they belong, your best defense is being alert and asking someone in authority if they should be there.  Always verify the identity of anyone who shouldn’t be allowed inside your organization.

Powered by www.InfoSightInc.com

Print page


Sunwest Bank
Built For Entrepreneurs By Entrepreneurs
Sunwest Bank is an entrepreneurial business bank built for entrepreneurs by entrepreneurs. Sunwest Bank was founded in 1969 in Tustin, CA. Sunwest Bank recently moved its headquarters to Sandy, UT, Salt Lake City metropolitan area.
Useful Links

     

Contact Sunwest Bank
© Copyright 2024 Sunwest Bank

Banking, Deposits and Savings, Commercial and Small Business Lending and online or mobile Banking services are provided by Sunwest Bank, Member FDIC, Equal Housing Lender, NMLS No. 586120. Department of Financial Protection and Innovation License No. 1017. All Rights Reserved – 2021.

Checking and Deposits: Checking accounts may have monthly fees or minimums, or per item charges. Review your account details. Deposits (including Certificates of Deposit) are insured by the FDIC up to a maximum of $250,000 (including principal and interest) for all deposits held in the same insurable ownership capacity (e.g., single account, joint account, IRA) at the same bank. Sunwest Bank customers are responsible for monitoring the total amount of deposits held. All deposits at a single bank held in the same insurable ownership capacity are aggregated for purposes of the applicable FDIC insurance limits. Take advantage of the FDIC's Electronic Deposit Insurance Estimator (EDIE) to calculate the FDIC insurance available for your personal and/or business deposits at: https://edie.fdic.gov/

Lending: All real estate secured loans are subject to credit and collateral approval. Additional terms and conditions apply. Small Business loans are subject to credit and collateral (if required) approval and program eligibility requirements of Sunwest Bank and the Small Business Administration, as applicable. Business and Personal loans are subject to credit and collateral (if required) approval. Some business loans may require a personal guaranty. Carefully read all loan product information, agreements and disclosures before completing the lending process.

All Programs, rates, terms and conditions are subject to change without notice. Complete details, including restrictions, limitations and exclusions for any product or service of Sunwest Bank will be available when you become a customer.

Sunwest Bank Mobile is compatible with iOS devices (iPhone, iPod Touch, iPad) and Android-powered devices. While the Sunwest Bank Mobile app is free to download, message and data rates may apply. Check with your mobile services provider for any charges that may apply for data usage on your mobile device. Please refer to the Mobile Banking and Online Services Agreement for further details regarding Sunwest Bank mobile banking services.


Google Play and the Google Play logo are trademarks of Google, Inc.
Apple, the Apple logo, iPhone, and iPad are trademarks of Apple Inc., registered in the U.S. and other countries.

ALL INVESTMENT AND INSURANCE PRODUCTS:
NOT FDIC INSURED - NO BANK GUARANTEE - MAY LOSE VALUE – ARE NOT A CONDITION TO ANY BANKING SERVICE OR ACTIVITY – ARE NOT DEPOSITS