Just because you are an ordinary employee in a company does not make you “invulnerable” to social engineering attacks. Whatever information that you have on the company that you deem to be of no value might be viewed differently by a criminal.
Take for example, if Alice is an employee of a corporate company, a criminal might use her as a leverage to work his way up the organizational chart to get to his intended goal, i.e. information on executives, CEO, information on the assets in the company, etc.
Criminals who employ social engineering to steal information, would most likely work upon the victim’s emotions to gain those information.
With Alice as a low-level employee, emotions that might be preyed upon include:
The fear of having to answer to a higher authority for messing up a supposedly intended event.
In a newsletter by Social-Engineering.org, a scenario mentioned,
"The social engineer needs to gain access to the server room and to do it he needs to get past the secretary. Of course, he can “lie” his way past and that may work. But to give a better chance at success he knows that if he can engage his targets emotions she may do what she is asked more easily.
He determines to use a pretext that he was called by a frantic CFO who had left earlier that Friday morning for a weekend vacation. He tried to issue the month end’s reports but there was a server issue. On his way out he called the support company and told them if they wanted to keep the contract that they must come now and fix it."
In this scenario, the social engineer had prey upon the employees’ fear of not only losing the contract but also having to answer to the CFO if anything were to go south.
The human’s nature of being helpful to a person in distress.
Social-Engineer.org has a video (search “Lightning SE Video”) that shows a man who got a security guard to unlock his hotel room without any proof of ID.
Not the perfect example as it does not relate back to the corporate level. But it goes to show, that with well-placed props, and perhaps the right amount of distress, getting help from overly helpful employees, anything from gaining access to restricted areas to getting confidential information, is possible.
These are just a few examples of human emotions getting played out to help a social engineer gain information that are otherwise not authorized to the public. What are some other emotions that you guys can think of?