Experience, time, and patience.
Become friends with an employee of company X — then exploit.
"Trust" needs to be established to avoid suspicion.
Commercial, Residential, or Private property? CCTV, buildings, storage, airport & hangers, parking lots, highrises, physical security points.
Locks in use, employee schedules (days, evenings, graveyard, weekend shifts), contact numbers and addresses, email lists, client lists, company and employee social media pages, social events, or weekend rallies.
Technologies, devices, operating systems, software and hardware security, enterprise resource planning (ERP), company visibility, efficiency, intelligence, biz model, company website, databases, email servers, customer portals, surveys.
Industrial, Commercial, Residential bins. Recon first.
Walk in behind a person who is authorized. Impersonate delivery driver or caretaker. Parcel, clipboard and pen. Ask employee to hold the door open, say thanks you got it from here.
Excuse to do or say something that is false. Pretexts may be based on a half-truth or developed in the context of a misleading fabrication. Pretexts have been used to conceal the true purpose or rationale behind actions and words.
Quid Pro Quo
Exchange, trade, trade-off, swap, switch, barter, substitute, substitution, reciprocity, reciprocation, return, payment, remuneration, amends, compensation, indemnity, recompense, restitution, reparation, satisfaction, requital. In cases of "Quid Pro Quo" business contracts, the term takes on a negative connotation because major corporations may cross ethical boundaries in order to enter into these very valuable, mutually beneficial, agreements with other major big businesses. In these deals, large sums of money are often at play and can consequently lead to promises of exclusive partnerships indefinitely or promises of distortion of economic reports.
Part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it.
Dropping thumb drives with malicious payloads. Parking lots, librairies, shopping malls, and restaurants are high traffic areas. Notification upon activation. Remote attacks wreak havoc.
Response to a question you never had
Some representative has your attention. Service outage has been scheduled. Problem with one of your accounts. Verification required. Remote assistance.
Do not give personal information over the phone or by email.
Cross-micro-cut old account bank/cc, signatures, numbers, ssn, medical, legal info.
Travel with id/b/cc you need for that day.
Invest in 2&3 factor plus hardware authentication.
Change default passwords. Use passphrases of 4 to 7 words.
Strengthen with upper, lower, numbers, and special chars.
Do Not connect to WiFi without encryption.
IBM social engineer @_sn0ww easily hacked 2 journalists for 3 weeks.
An ethical hacker's view of cloud security risks from social engineering.
How Device-Aware 2FA Can Defeat Social Engineering Attacks — Markus Jakobsson