How To Explain Social Engineering To A Five-Year-Old

Social – Interacting with other people and living in communities. Engineering – Skilful manoeuvring or direction.

Put them together and what have you got? Social engineering – a major security threat to businesses all around the globe. But what exactly is it? Here’s what the IT security specialists had to say:

Tony Neate, CEO, Get Safe Online

“Social engineering is like tricking someone into doing something because you know a secret about them. A wicked witch knows children love eating sweeties and so she makes a gingerbread house out of them and pretends she is a nice old lady to trick little children, like Hansel and Gretel, into going inside.

“Like the witch, even people in the real world sometimes pretend that they are somebody else to trick innocent people into trusting them. They do this to try and make people share information which they can then use to upset them, like stealing their money or giving their computer a nasty virus.”

Kevin Epstein, VP Advanced Security and Governance at Proofpoint

“Bad people try to trick you. Imagine someone wants to get into your house, to steal things. If they look like a burglar, and break a window, everyone knows they’re bad, and so you call the police quickly and catch them. But what if they were dressed up like a repair person, and knocked on your front door, and said: ‘I’m here to fix the gas, will you let me in?’. You’d probably let them in, and they’d steal things.”

Kevin Kennedy, VP Product Management at Agari

“Social engineering is how the bad guys use your hopes, fears, and trust to get you to give away secrets or break your computer. It’s like when your big brother or sister sneakily convinces you to do something which you know is a bad idea, but you just can’t quite help yourself!

“It could look like a message from your best friend suggesting you check out a fun app. Or your favourite game telling you how to download a great new game. Or an advert on Facebook offering your big sister discounted tickets to see One Direction. They’re tricking you into revealing your secrets, but they look so real that the first clue they’re not will be when you see a post claiming to be from you on a friend’s Facebook wall, trying to break their computer!”

Fraser Kyne, principal systems engineer, Bromium

“Social engineering is a bit like those notes that get passed around in class. The note may say ‘do this’ or ‘say that’ or ‘meet me here at lunch’. You think the note is from your friend, but you didn’t see who passed it to you, so you can’t be sure. You could give it to Mummy and Daddy [IT security] but in reality they don’t really know if it’s good or bad either – and you know that they’d stop you from doing fun stuff. So it’s probably best to get someone else to open the note and do what it says, to see if they get into trouble. Or you could create a virtual copy of yourself who is safe to open notes and do whatever they say in them…but let’s wait until you’re a bit older to explain how that works.”

Dan Lohrmann, chief strategist and CSO at Security Mentor, and former CISO and CSO of the State of Michigan

“When you connect to the Internet, there are many different pictures and words that try to get your attention. Whether you see fun flashing pictures, or helpful maps, games or email notes from your friends and family, most of these objects are good things that help us to learn or to have fun and communicate with others.

“However, there are bad people online who try to trick us and get us to click on things that can hurt us. They use a process called ‘social engineering’ to get you to do things that are bad for you. It is important to be trained to know the good from the bad. One rule that is helpful is to only chat with people that you know and trust. Another tip is to have your parents help you select games and other ‘apps’ that are safe. Be alert and watch out for the bad guys.”

Geoff Sanders, Co-Founder and CEO of LaunchKey

“Social engineering is just a fancy term for tricking someone into doing or revealing something unintended through social, rather than technical means, such as through a casual conversation or phone call. It’s kind of like when a parent asks their kid, ‘how did you enjoy that movie with Kelly last night?’ Unfortunately, the kid was supposed to be studying for a test with Johnny, but the parent’s cleverly worded question resulted in their kid revealing that they, in fact, skipped the movie and what their actual activities were.”

Ken Westin, senior security analyst, Tripwire

“Remember when I told you that eating your vegetables would make you strong? That was social engineering.

“Remember when I told you that if you didn’t stay in bed and take your nap, the monster under the bed would eat your toes? That was social engineering.

“Remember when I convinced you that I ‘got your nose’ and told you could get it back after you finished your milk? That was social engineering.

“Remember that one time you wanted candy, so you hugged your mom and made a cute face and got it? That was social engineering.”

Piers Wilson, head of product management at Huntsman Security

“Social engineering is when somebody tells lies to get you to believe they are someone else or to get you to tell them your secrets. They might pretend to be your friend, or someone your mum and dad know and be all cunning so that you believe them. They might phone you up, or send you an email or even just text you. They might tell you that you’ve won a great prize like free chocolate for a year or that they need your help or that they found a really cool website with Minecraft videos on it. But it’s a lie. They don’t know you, or your family, and the prize, or website or help they want isn’t real – it’s just a trick; but if you are smart you’ll spot this and just ignore them or delete the message. They are just big fibbers.”

Alastair Paterson, CEO of Digital Shadows

“Social engineering is the manipulation of an individual that can be used, among other things, to obtain confidential information about a company or its employees for malicious intent. The adversary behind these attacks are often unrelenting in their pursuit to steal, compromise or destroy critical assets that have financial, operational, intellectual, confidential or reputational value. They will use a variety of different methods to get at this information including approaching via social networks, fake emails and face-to-face contact.

“It is hard for organisations to guard against these attacks since humans are any organisation’s weakest link, but they need to know when any information has been compromised. This means cyber situational awareness that includes continuous monitoring of the global, deep and dark web, so they can gain real time alerts to potential threats, including instances of sensitive data loss or compromised brand integrity. This can help mitigate against the consequences of social engineering.”

Amichai Shulman, CTO of Imperva

“Social engineering is the way to talk people or persuade them in a subtle way to do things they would otherwise consider wrong or against their best interest. It is kind of like your parents trying to feed you spinach as a kid. Of course if they tell you ‘eat your spinach’ you’d be shutting your mouth stubbornly. But your mother has this trick of leaving a plate of meatball shaped stuff on the table and saying you something like ‘Dad is on his way from work and I left him his favourite super power snack on the table – make sure your brothers don’t eat any of it’. In the case most children would probably wait until mom is out of sight and instantly finish it just to spite! This same type of trick is used by hackers through specially crafted email messages to encourage unsuspecting victims to download and execute malware.”

Mark James, security specialist at IT security firm ESET

“Social Engineering is when someone on your computer who says they are your friend tries to trick you into doing something that could end up being bad or something mummy or daddy would not like you doing. Always make sure your parents are aware of anyone wanting to be your friend and never ever meet anyone without them present. People on your computer or tablet can say anything they like to try and build a friendship with you. Not talking to strangers is just as important online as it is in the park and do not rely on a picture as proof of their age.”

Troy Gill, manager of security research at AppRiver

“Social engineering is the art of getting people to do want you want them to do. Hackers typically attempt to exploit some piece of technology to break in an organisation, Social engineering on the other hand, targets humans. Someone using social engineering might call a company while pretending to be another employee of the company and attempt to trick the employee to giving them their password. Much of the time they will make up a story that gives a sense of urgency to the situation so that the victim is forced to make a rushed decision. Another thing social engineering often relies upon is that fact that most people want to be helpful. For example, someone (who doesn’t belong there) just walking up to the door of a secure building would most often not be granted access. However, that same person carrying a large heavy box would often have the door held open for him by an employee just aiming to be helpful.”

Imperva, this time from Mark Kraynak, CPO

“Social Engineering is what happens when someone you don’t know tries to get you to do something dangerous. It happens in the physical world just as much as the online world. The best example would be if you are at the park with your parent or babysitter and someone you don’t know approaches you and tries to get you to go with them or wants information about you, like where you live. They might even have a good story to convince you or offer you candy or ask you to come see their new puppy. Unless your parent or baby sitter knows about it and says it’s okay, you should not go. Social engineering is the same thing, but instead of being at the park, the stranger is approaching you in email and trying to get you to go somewhere online or give them information about yourself (like your password) that you shouldn’t give them.”

Gavin Reid, VP of threat intelligence, Lancope

“Social engineering manipulates people’s natural inclinations to make them act or do a certain thing the person doing the manipulation is interested in. It by no means is anything that is mainly or started with security. Nor is always negative – it is a huge part of normal human interaction. Social engineering is the babies cry when it wants attention or the large happy smile a patron receives from a waiter. In the world of cyber crime con artists have taken advantage of some of the normal human feelings to push people into doing things they shouldn’t. One example would be using peoples good nature against them in fraudulent schemes to supposedly help a friend in need. Another popular scam is to dangle something valuable in front of people in hopes that their greed clouds their better judgement and allows the criminal to defraud them. This has been part of the human condition forever – what the internet has allowed for is connecting con artists to their prey on a massive scale.”

How much do you know about hacking and computer viruses? Take our quiz!