One of the best things about most of these problems is that the name telegraphs the predicament. While as an IT administrator, there is no way to prevent someone from trying these tactics against your company, educating users about them is the best way to prevent them from being successful. The more they are aware of their presence and potential harms, the more likely they can help thwart them.

Tailgating
"Tailgating" involves following someone so closely that when they enter a door to which you don't have access, you're able to slip in behind them without providing proper authentication. The picture illustrates one method of successfully doing this -- having your hands full so that the person you're following feels guilty if they don't offer help with the door. Most of the time, you don't think about an intruder bringing things into the place they are sneaking into and so it makes it less likely for you to identify them as an intruder. While the intruder in this image is carrying a heavy box, this could be replaced by cases of water, cumbersome packages, or almost anything else that might make a normal person feel guilty if they don't offer the simplest form of assistance -- holding the door.

While an administrator should educate their users not to ever hold the door for anyone else and allow tailgating to occur, there are so many situations where they might let their guard down. What if the intruder is on crutches? In a wheelchair? Dressed like the delivery man?

NOTE: Any time the intruder pretends to be someone they are not -- be it the delivery man, a security guard, or the new vice president, -- it constitutes impersonation.

Social engineering always takes advantage of the gullibility of another, and gaining access to a place where an intruder should not be is one of the first things they might do in order to start accessing data that is supposed to be off-limits.

Shoulder Surfing
"Shoulder surfing" involves looking over someone's shoulder while they are working. Doing so, the intruder hopes to gain information such as usernames or passwords that they can then use to access the system as the other person. While the miscreant can't always be there during the login to oversee that information, there is other intercepted data that can be damaging as well: payroll information, e-mail addresses of key personnel, and so on. It is a good idea for users to not have their monitors positioned in ways that make it easy for this act to occur, but they need to also understand and appreciate that such an attack can occur away from the desk as well: in any public location where they sit with their laptops, at business travel centers in hotels, and so on.

Dumpster Diving
To realize the ramifications of a "dumpster diving" attack, think only for a moment of all the information that goes into the trash. If it is possible to find a list of users at a company, then half of the information needed to gain access in a username/password authentication scheme has been gathered. Rarely do usernames differ from either being the first initial of the first name and the full last name, or the first initial of the first and middle name and the full last name.

If a user scribbled down a password on a piece of paper when they changed it and kept that paper only until they memorized the new string value, then the attacker has found a goldmine. If the attacker is not so lucky as to find that password itself, they may just be able to find the names of things related to a user or users -- all of which are often the basis for what becomes their password.

On a completely different vein from authentication information, it may be possible to gain information about customers and suppliers -- all of whom can be targeted for attacks or smears. What if the attacker pretends to be a representative of your company and contacts customers armed with gold the dumpster dive has uncovered and begins harassing them in an attempt to jeopardize your relationship? What if they publish data found on the Web for all to see?

An easy solution is to shred and destroy all paper documentation. It may keep the Cub Scout pack from being able to use your paper in their recycling fundraiser, but it also keeps your company a lot safer.

Phishing
"Phishing" involves trying to collect important, sensitive, information from a user through the Internet. One of the most common ways to do this is to contact a user and tell them something is wrong with their account and that they need to go to a site and verify their information to correct the problem. Often, the messages will appear to come from a legitimate site -- PayPal, eBay and Wells Fargo are commonly used -- but the links in the message actually take the user to a bogus site where their username, password and any other information the user willingly provides (credit card numbers, date of birth, etc.) can be collected.

[Click on image for larger view.]

The example in the figure is a variation on the standard attack. In this case, it is made to look as if the user submitted an order and there is a problem with the order.

The attacker's hope is that the user will respond by going to the site to report that they placed no such order. At the site, attempts will be made to collect as much information as possible which can then be used to capitalize on the user's data. Even just getting the user to come to the site and then immediately leave serves the purpose of alerting the attacker that their message went to a valid e-mail address and one worth targeting another attack to. Users should be well educated on all aspects of phishing and instructed to not respond to such attempts in any way.

A number of variations of phishing exist, including vishing, spear phishing and whaling.

Hoaxes
A "hoax" preys upon fear. Users are constantly hearing about viruses, worms and other forms of malware that can damage their data. Sometimes, the threats aren't real at all, but merely fabrications intended to alarm the users. The miscreant in this case may simply delight from seeing the panic spread and take joy in knowing that they caused such an alarm or they may have another motive.

That other motive could be driven by capitalism or a desire to do even more harm. As an example, suppose a hoax rampantly spreads that the new dulaney64 virus is on the loose and it will completely wipe out any infected hard drive instantly. The only known way to stop this virus is by installing the KeepSafe Anti-Dulaney software package which can be downloaded for $20 from the same entity that spread the hoax. The hoax, in this case, serves as a great way to drum up business and make money off of those naïve enough to fall for it. The software purchased serves no real purpose. 

Offering a far more disastrous consequence is spreading the same hoax but now making KeepSafe a true virus and even going so far as to give it away for free. The susceptible hear of the dangers of dulaney64 -- which really doesn't exist -- and they rush to install KeepSafe to protect themselves. Once KeepSafe is on their machine, it begins doing its malicious work, which could include deleting files, altering data, acting as adware or spyware, spreading across the network to every PC it can identify, or any number of other possibilities.

Hoaxes can be particularly tricky to combat since you want your users to know the dangers that exist in IT and the best way is by making them aware of what is out there -- an act in and of itself which can lend to their being quick to respond as soon as they hear of such a hoax and innocently falling for it. The best solution is to have the users contact you immediately as soon as they hear/fear a potential threat and not take any other action without your direction.

Summary
The five social engineering types discussed here are far from all that exist, but represent the most common ones. The key to minimalizing the impact they can have in your environment lay in educating your users. Regularly remind them of the dangers that each characterizes and encourage them to come to you or other members of the IT staff with any and all questions they have.