What is Impersonation in Social Engineering?


No matter how secure a system is, there's always a way to break in. Hackers and malicious social engineers are turning to the weakest part of the infrastructure – the people  – who are often the easiest to manipulate and deceive. 

Impersonation is one of several social engineering tools used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft. Impersonation differs from other forms of social engineering because it occurs in person, rather than over the phone or through email.

The social engineer "impersonates" or plays the role of someone you are likely to trust or obey convincingly enough to fool you into allowing access to your office, to information, or to your information systems. This type of social engineering plays on our natural tendencies to believe that people are who they say they are, and to follow instructions when asked by an authority figure. It involves the conscious manipulation of a victim to obtain information without the individual realizing that a security breach is occurring. 

Impersonation requires a lot of preparation, so it occurs less often than other forms of social engineering. Social engineers prefer the more anonymous phone or email approach over appearing in person. Done well, however, nobody ever knows that the impersonator was ever there. To the people they spoke to, they were just another individual in a non-stop stream, although perhaps just a bit nicer than the run-of-the-mill grump.

Roles of the impersonator

Some common roles that may be played in impersonation attacks include: a repairman, a meter reader, IT support, a manager, a trusted third party (an auditor, for example), or a fellow employee. Most of these roles fall under the category of someone with authority, which leads us to ingratiation. Most people want to help, so they will bend over backwards to provide the required information (or access) to anyone with authority. 

These tricks work because we all regularly interact with people we don't know. It's human nature to trust credentials – a badge or a uniform – but they can be forged. We trust uniforms, even though we know that anyone can wear one. And when we visit a website, for example, we use the professional appearance of the page to judge whether or not it's really legitimate -- never mind that anyone can cut and paste graphics. In the same way, we have a tendency to automatically trust someone in authority.

Common social engineering roles:

  • Posing as a fellow employee
  • An employee of a vendor or partner company, or auditor
  • As a new employee requesting help
  • Pretending to be from a remote office and asking for email access locally
  • As someone in authority
  • A system manufacturer offering a system update or patch

Impersonators do their homework

Impersonation works best when the social engineer gives a convincing performance, complete with the proper technical jargon or other insider information. Impersonators do their homework. They come armed with:

  • A uniform
  • An ID badge
  • A fake or forged business card
  • Insider information
  • Names and details about employees

Once inside the building, impersonators will look for opportunities to:

  • Learn more about the organization and its employees
  • Eavesdrop on employee conversations
  • Shoulder surf to uncover passwords or pins
  • Steal documents, equipment, or other items of value
  • Gain access to computers, copy or fax machines
  • Sabotage the network

There are some warning signs of an attack. Pay special attention to:

  • Out-of-ordinary requests
  • Claims of authority
  • Stressed urgency
  • Threats of negative consequences of non-compliance
  • Displays of discomfort when questioned
  • Name dropping
  • Compliments or flattery
  • Flirting

Before releasing any information to anyone, it's essential to at least establish:

  • the sensitivity of the information
  • your authority to exchange or release the information
  • the real identity of the third party (positive identification)
  • the purpose of the exchange

Countermeasures for impersonation attempts

Verification is the key.  A social engineer's goal is to fit in with the crowd - to look like someone who should be there.  They may be disguised as any number of people who frequent your organization and, because they look like they belong, your best defense is being alert and asking someone in authority if they should be there.  Always verify the identity of anyone who shouldn't be allowed inside your organization.

These helpful tips are provided by www.infosightinc.com, an information security consultancy working to help ensure the privacy and security of your corporate, personal and financial information.