As the nature of Social Engineering is like that of a many-headed snake, so too are a number of ways that perpetrators of such attacks can cause harm to a company. One of these possible ways is discussed in the following. Suppose that one such attacker attempts to get to know about how the IT personnel works at a company. For this purpose, he or she poses as some user at the company who is simply calling the IT department to inquire about a problem he or she is having or to ask a question. This would show the social engineer how this company’s IT department handles such inquiries e.g. they could issue a help ticket of some sort.
The attacker would also know if giving his or her name or contact info is compulsory or not. Or perhaps the department simply puts a number on the complaint until it gets resolved. The next step for the attacker is to get the password for the user or some other user.
He or she may pose as the unsuspecting user’s friend and say that he or she can reduce the downtime for the user’s computer due to a maintenance shutdown and for that, he or she requires the user’s password. Most likely, the user will give away the password as he or she will see no problem with it.
It is not necessary for such a target to be done using the telephone, but it is the most convenient method for the social engineer as it allows attacks on multiple fronts simultaneously. But if the story spreads to other users, there may be difficulties for the social engineer.
In such cases, a personal approach is better, where the social engineer goes to users with questions in person. Social engineers abuse human nature and traits and use them to their own devious ends. They are good at picking up signs of someone’s personality with their vast experience.