Social Engineering – A Matter of Trust

JaronH

In the world of cyber security, there is one very dangerous exploit that no anti-virus can ever detect, that no firewall can block, and that no complex password can ever protect a person from.  This one catastrophic flaw in security is enough to bring down large corporations and government agencies in mere seconds.  So what kind of security threat could possibly be that big?  Social Engineering.

Social Engineering is the art of manipulating people – usually through blind trust, habit, or curiosity – to either divulge what is seemingly innocent information or perform a rudimentary task.  Most of the time, people don’t realize they have even fallen victim to a Social Engineering attack until it is too late (assuming they ever find out!).

Most people are familiar with the popular forms of Social Engineering attacks.  For example, an email or phone call from your “bank” asking you to provide information they should already have or the ever-popular Nigerian Prince scam.  Just about any get-rich-quick plan that has been floating around in emails or even the “smilingly-innocent” Facebook games can be boiled down to a form of Social Engineering (Random fact: Did you know that all you need to pull a person’s credit report is their name and address?  Keep that in mind the next time you go to let a Facebook app access your personal information!).

A few days ago, I received a call from a man named “Tom” who works at the company that we will call “XYZ”.  I’ve never worked with Tom directly before this but he knew all of the people whom I’ve worked with and he knew many details about the project our business was doing for company “XYZ.”  The purpose of Tom’s call was to ask about a credit report that our business had processed for company “XYZ.”  Now, one of my job requirements is to help our customers with any problems so my instinct was to immediately help Tom out.  But here’s the problem: How do I know Tom really works for company “XYZ?”  Does Tom even have permission within company “XYZ” to discuss confidential credit information?

As much as I wanted to trust Tom, I couldn’t.  Caller ID’s can be faked and the information he had about the project could have been obtained through questionable means (namely, insecure emails).  As far as I knew, Tom could be trying to using a form of Social Engineering known as pretexting (the practice of getting your personal information under false pretenses ) to squeeze information out of me that could be used against either the individual whose credit report he was asking for, against company “XYZ,” or against our business.

The good news is that I was able to call my contact at company “XYZ” and verify that Tom was indeed in a position to request help from me (more on this later).  However, let’s assume Tom was trying to exploit me and look into areas where he would have been trying to exploit me through:

1)      Helpfulness:  He would have been trying to use my desire to help out a customer to gather confidential data!

2)      Trust: He would have been looking for me to trust that he really did work for company “XYZ” and that he had their best interest in mind.

Notice something?  The very things that make a good employee and support person – or just a nice person in general – can also be that person’s biggest weaknesses!  Let’s look at a few more, simpler cases of Social Engineering:

–          Holding the door:  You’re assuming that the person you are holding the door for is actually allowed in the building.

–          Piggybacking:  Letting someone who “locked themselves out” or “forgot their ID” inside the building.

–          Dumpster Diving:  If you don’t shred documents or destroy hard drives properly, anyone can get your confidential data out of the trash.

–          Curiosity/Learning (AKA Baiting):  “Let’s see what’s on this CD…”, “Let me try this application…”, “I’ll open this document/url…” – All of these are famous last words before unknowingly installing a virus or malware!

–          Diversion:  Persuading a person responsible for a legitimate delivery that the package they are delivering (data or physical) is to be delivered to an alternate location through a last minute decision the company had made.

–          Email: Most people don’t realize that all of their emails bounce from server-to-server in plain text and can be easily snooped.

Notice that all of the above examples do require an element of trust or false sense of security.  So, how do we get around this?  Simple: Don’t blindly trust anyone.  Now this solution sounds easy but how can you do this practically in the real world?

In IT, one of the most reliable forms of security is a process known as Pretty Good Privacy (PGP).  It is a complex security protocol that essentially requires a form of trust in order to allow a recipient to access its encrypted payload.  Prior to exchanging any secure data, the two parties involved will exchange what are known as “keys.”  The purpose of this is so that two key’s are required to “open” (decrypt) any secure file exchanged between the two parties.  Those key’s are:

1)      The sender’s public key (we’ll call the sender “George”):  This is the key that George presents to the individuals who are authorized to decrypt his encrypted data.  This way, since George’s private key was used to “lock” the file, his public key is required to “unlock” it.

2)       The recipient’s private key (we’ll call the recipient “Sam”):  This is the key that only Sam will possess, which will unlock anything that was locked by his public key.

As a result, George knows that Sam is the only one who can unlock the file since Sam is the only one who has the matching private key.  Likewise, Sam knows the file is from George because the file can only be unlocked using George’s public key (and only George has the matching private key required lock the file in the first place).

Why did I mention this?  Because the basic principle behind this security is also the best way to establish trust and therefore minimize the chance of being exploited through Social Engineering.  This is because your trust is based on:

–           Something you have (i.e. George’s public key)

–          Something you know (i.e.  Sam’s private key)

Going back to my case with Tom, before I could help him, I had to be sure he was who he claimed to be.  My processes of authenticating Tom went like this:

1)      Something I know:  I called up my contact at company “XYZ” and verified that Tom worked for them and that he was authorized to look into this case.

2)      Something I have:  I then asked my contact for Tom’s contact information so that *I* could call him.

The last step is just as important as the first one.  Why?  Because even though Tom (the one who worked for company XYZ) passed step one, there is no guarantee that the person I talked to was that Tom.  However, since I was the one calling him, I knew that I was talking to the correct Tom.  Therefore, I was able to address his problem and work with him in confidence.

Further reading:  http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/1   This details how the hacking group Anonymous used simpl attacks and social engineering to take down the entire Federal branch of the computer security company HBGary.

Technology in Construction & Manufacturing: Why It’s More Than Just Device Management

January 20, 2026
Modern construction and manufacturing sites are no longer just about heavy machinery; they’re digital ecosystems. Tablets, laptops, IoT sensors, and mobile apps are now essential for everything from blueprint access to production monitoring. These tools enable real-time collaboration, safety compliance, and operational efficiency. But when your workforce is spread across remote job sites or large facilities, keeping these systems connected and secure becomes a challenge. Construction Blueprint & Plan Access: Crews use tablets to view updated plans on-site, reducing errors and rework. Safety & Compliance Reporting: Mobile apps allow instant incident reporting and safety checks. Equipment Tracking: IoT sensors monitor heavy machinery usage and maintenance needs. Manufacturing Production Line Monitoring: Tablets and IoT devices track throughput and detect anomalies. Quality Control: Mobile devices capture and share inspection data in real time. Inventory Management: Connected devices streamline material tracking and reduce downtime. These tools keep projects moving, but only if they’re secure, updated, and accessible anywhere. Why Remote Access Is Critical Construction sites and manufacturing plants often operate in remote or rugged environments. Workers need secure, reliable access to company systems, whether they’re in the field, on the shop floor, or traveling between sites. Without proper management, connectivity issues and security gaps can lead to delays, data breaches, and compliance failures. How a Managed IT Services Partner Helps You Win Partnering with a Managed IT Services provider lik e Eberly Systems ensures: Centralized Device Management: Configure, update, and secure all devices remotely using Microsoft Intune. Enterprise-Grade Security: Microsoft Defender protects against threats across IT and OT environments. Identity & Access Control: Microsoft Entra ID enables MFA and conditional access for subcontractors and BYOD scenarios. 24/7 Monitoring & Support: Proactive threat detection and performance monitoring keep operations running smoothly. Scalable Solutions: Whether you have 50 devices or 500, policies and updates roll out automatically. This means your teams can access critical tools and data securely anytime, anywhere, without worrying about downtime or cyber risks. Construction and manufacturing thrive on precision and speed. Technology makes that possible, but only when it’s managed effectively. A trusted Managed IT Services partner doesn’t just keep devices secure, it keeps your business moving, your workforce connected, and your data protected. Ready to empower your teams and safeguard your operations? Contact Eberly Systems today for a free consultation.

In-the-Field Device Management: Why It Matters for Your Business

By Guest Blogger December 9, 2025
Why Device Management Is Critical

SECURITY NOTICE: Calendar Phishing - A New Way Hackers Try to Trick You

November 25, 2025
What Is Calendar Phishing?

Cybersecurity Hygiene 101: What Every SMB Should Be Doing

November 4, 2025
Why Cybersecurity Hygiene Matters for SMBs

Leading with AI: How SMBs Can Leverage Artificial Intelligence to Strengthen Every Critical IT Role

October 28, 2025
Why Leading with AI Matters for Small and Medium-Sized Businesses

SECURITY NOTICE: Fake CAPTCHA

October 10, 2025
Fake CAPTCHA Sites Hijack Clipboard to Install Malware

SECURITY NOTICE: Business Email Compromise

October 10, 2025
Understanding Business Email Compromise (BEC)

The Cyber Cold War: How Global Tensions Are Reshaping the Digital Battlefield

By Kordel Eberly August 17, 2025
Welcome to the Cyber Cold War
fish hook

Catching the Big Phish

By Eberly Systems September 20, 2024
We're all in the same boat trying to avoid cybercrime! Here's our top ways to identify a potential phishing attempt.

Key Notes from the Security Team: Q3 2024

By Eberly Systems September 10, 2024
Focus on integrating with new team members and new customers