You get a call from someone who greets you by your name and title and says they’re in the IT department at your company. A number of employee passwords have been stolen, he says, so you need to change yours right now. He then instructs you on how to change your password, explaining that it must include certain characteristics. “What’s your new password?” he asks. This should stop you cold, since no legitimate company or employee will ever ask for your password. But at this point you trust him, and you’re in a rush. So you tell him.
Unfortunately, that “IT professional” was a hacker, and you just made his day.
The playbook he used is called social engineering, a common form of hacking that tricks targets into giving up sensitive information. Instead of exploiting technology’s weak spots, social engineering exploits human vulnerabilities.
This type of threat is now what worries cybersecurity professionals most, according to a survey conducted at 2017’s Black Hat cybersecurity conference. The tactic was again a hot topic at the 2018 Black Hat conference, which was sponsored in part by HP.