Hewlett-Packard was founded in a one-car garage in San Mateo, CA by Bill Hewlett and David Packard, where they first produced a line of electronic test equipment.
From 2007 to 2013, HP was the world’s leading PC manufacturer.
However, in 2005, Hewlett-Packard was roiled by corporate infighting and management concerns that a board member was leaking insider information to the media.
HP Chairman, Patricia Dunn, was allegedly angered by a news story about HP’s long-term strategic plans.
In turn, the Chairwoman contracted a team of independent security experts to investigate board members and several journalists in order to identify the source of the information leak.
The problem was those security experts recruited private investigators who used a spying technique known as pretexting.
The pretexting involved investigators impersonating HP board members and nine journalists (including reporters for the New York Times and the Wall Street Journal) in order to obtain their phone records.
The way pretexting works is the “bad actor” uses a variety of tactics to get personal information.
For example, a pretexter may call and claim he’s from a survey firm and ask you a few questions.
When the pretexter has the information he wants, he uses it to call companies with whom you do business.
He pretends to be you or someone with authorized access to your account.
He might claim that he’s forgotten his account number or needs information about his account history.
In the case of HP, the people hired to investigate the board used a specific method of pretexting.
Using only the board members’ names and the last four digits of their social security numbers, the investigators were able to call up AT&T and convince them to provide access to detailed call records for the victims.
Though HP’s leadership claimed they hadn’t authorized these techniques, the fallout resulted in multiple resignations.
H.P. Chairwoman Patricia Dunn claimed she did not know beforehand the methods the investigators used to try to determine the source of the leak.
However, ultimately, board member George Keyworth was accused of being the source and resigned, although he continued to deny making unauthorized disclosures of confidential information to journalists.
It’s no secret that hackers use their technical expertise to attack computer systems and compromise sensitive data.
This type of malicious cyber hacking makes news all the time.
However, a social engineering attacker uses different tactics to skirt security protocols, often exploiting one weakness that is found in every company, humans.
In other words, using phone calls and other means of communication, these hackers trick people into handing over sensitive information.
Social engineering is a term that encompasses a broad spectrum of malicious activity so I want to share with you the top three methods of social engineering that attacks people and companies, focusing on human errors to give them the information they want.
Pretexting. This form of social engineering focuses on creating a good pretext or fake scenario, where the bad guy tries to steal the victims’ personal information.
In these types of attacks, the scammer usually says they need certain bits of information from their target to confirm their identity.
In actuality, they steal that data and use it to commit identity theft or to stage another attack.
For example, an attacker might impersonate a company’s IT services employee so that they can talk the company’s physical security team into letting them into the building.
The goal of a pretexting attack is to build a false sense of trust with the victim.
This method requires the attacker to build a credible story that leaves little room for doubt on the part of their target.
The best way to avoid this is to always verify who is calling you and asking for detailed information.
If your company’s HR calls you to ask personal details, you should politely tell them you will call them back and then call the phone number you have for your HR to make sure it was them actually calling you in the first place.
Or, you can say you want to come by their office and share this information with them in person.
Phishing. This is the most common type of social engineering attack that occurs today.
The main goal of phishing attacks is to obtain personal information such as names, addresses and Social Security numbers.
In short, these criminals use shortened or misleading website links that redirect users to websites that are really phishing landing pages.
These malicious links are often delivered in e-mails or text message to the victims, and many contain spelling or grammar errors.
However, they all have the same goal of using fake websites to steal user login credentials and other personal information.
A recent phishing campaign used a compromised email account to send out fake emails.
The e-mails asked recipients to review a proposed document by clicking on an embedded URL.
That URL redirected users to a phishing page impersonating a Microsoft Office 365 login portal where users were duped into providing their login information.
The key to preventing this type of attack is to never click on a link that you aren’t familiar with or that doesn’t come from a trusted source.
Quid Pro Quo. These types of attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service or gift of goods.
One of the most common types of quid pro quo attacks that’s come out in recent years is when fraudsters impersonate the Social Security Administration.
These fake SSA personnel contact random individuals, inform them that there’s been a computer problem on their end and ask that those individuals to confirm their Social Security Number, all for the purpose of committing identity theft.
In similar cases, malicious actors set up fake SSA websites that say they can help users apply for new Social Security cards, but instead, simply steal their personal information.
Criminals who engage in social engineering attacks prey off of human psychology and curiosity in order to compromise their victim’s information.
With the human element being the key, it is up to companies and individuals to educate themselves on how criminals will try and trick them to get personal information.
