The easiest way to get into any computer is to ask someone to give you access. Naturally, computer administrators aren't going to give access to anyone who asks, so hackers just ask the people who have regular access to the computer but little interest in protecting that computer. In other words, hackers target the ordinary user.
Most people see computers as a necessary nuisance, so when they receive a call from someone claiming that they're having trouble using the computer, they can sympathize with that caller. When that caller claims to be in a rush to complete a project before a looming deadline, they can once again understand the caller's frustration. And when that caller rattles off company phrases and names of corporate executives or projects with the familiarity of a long-time worker, most people accept the caller as legitimate.
So when that caller finally asks for help, whether it be for a telephone number to the computer or even a password to an account on the computer, most people are only too happy to help out what seems to be a fellow coworker. The trouble is that the caller might actually be a hacker using social engineering tactics to get you to volunteer valuable information that the hacker needs in order to break in and access a computer. The beauty of social engineering is that the hacker can get other people to help him without them ever knowing the hacker's ulterior motive. Even better, the hacker can get information just by picking up a phone. If one person fails to give him the information he needs, the hacker can just dial another number and talk to someone else until he eventually gets the type of information he wants.
Sometimes hackers practice reverse social engineering. Rather than call someone and try to get information out of them, reverse social engineering gets other people to call you and volunteer information on their own initiative.
One type of the reverse social engineering scam works by a hacker disrupting a network in a small but noticeable and obvious annoying manner. After sabotaging the network, the hacker posts his telephone number and name (usually not his real name) for all computer users to find. Inevitably, someone will call this telephone number, thinking that it leads to a computer administrator when it really belongs to the hacker.
At this point, the hacker requests certain information from the user, such as the user's account number or name and the accompanying password. The user who initiated the call isn't likely to suspect that the hacker is anyone but a helpful technician, so that person freely volunteers this information. Once the hacker gets this information, he can fix the problem that he created in the first place. The user is happy and the hacker has the information he needs to break into the computer.
To mask their own identity, some hackers are adept at mimicking different voices such as an older man or a young woman. By drastically altering their voice, hackers can often milk the same person for information without raising any suspicions.
Because they may only get one chance to break into a computer, hackers can afford to be patient. They can take days, weeks, or even months gathering information about a particular target from different sources so that they can talk about a company or computer with the jaded familiarity of someone who has worked there for years.
Talking to people over the phone has the advantage of hiding the hacker's appearance from sight. After all, if most people knew that the person who sounds like their boss is actually a twelve-year-old kid, they would definitely not give out any information.
However, social engineering over the phone has its limitations. You may want direct access to a computer, which means that you have to show up in person. Although deceiving someone in person takes a lot of confidence, most people never dream that someone standing right in front of them would deliberately lie about who they are or what they're doing, which means they'll be more likely to cooperate without questioning the hacker's true intentions.
When hackers use social engineering in person, they often masquerade as a consultant or temporary worker, since that explains the hacker's unfamiliarity with the building layout and their presence in the office in the first place. Once on the premises, hackers may simply scout the site to get more information about the company and the way it uses its computers. If the opportunity presents itself, hackers may access the computer directly, claiming to be security consultants or technicians.
Under the guise of repairing or maintaining the computer, the hacker may secretly install a back door to the computer so that they'll be able to access that computer after they leave. While wandering through an office, hackers may look for passwords taped to the sides of monitors or engage in shoulder surfing and peek over the shoulder of someone as they type in their password.
As an alternative to masquerading as someone else, hackers may simply get jobs working as night janitors. This gives them free access to all the office computers without the nuisance of other people getting in the way.
Whether the hackers do their social engineering over the phone or in person, the goal is still the same: Find a way into the computer, whether that way be through a password conveniently given to them by an unsuspecting worker or through direct physical access to the computer where they can shoulder-surf a password, find a password written on a slip of paper stuck to a monitor, or simply type and guess different passwords at the computer terminal itself.