bCentral Home
Your Online Business Center

Social engineering

How the way we think makes us more vulnerable

The last couple of weeks have seen the re-emergence of an old friend, the Sober worm. At one point it was responsible for nearly five percent of all internet traffic.

It works like this: you get an email promising free tickets to the 2006 World Cup. You click on the attachment. It infects your computer, switches off your firewall and starts spamming everyone in your address book with copies of itself.

It does not attack the following types of users:

Anyone who has recently updated their computer at the Windows Update site

Anyone with antivirus software that has been updated since the virus was identified

Anyone who doesn't click on the attachment

The last point is the most remarkable. It's the oldest trick in the book and yet people fall for it again and again. Manipulating people into doing things like this that are not in their best interest is social engineering. And it's on the rise.

Target: Instant Messaging

The newest arena for social engineering is Instant Messaging (IM). This includes programs like MSN Messenger, AOL Instant Messenger, Windows Messenger and Yahoo! Messenger.

Threats that exploit IM have tripled in the first three months of this year, according to IMlogic, a company that specialises in securing IM. Most of them use social engineering techniques. For example, some worms pretend to chat to users before infecting them.

As with the Sober.p emails, most IM attacks require users to click on something to initiate the infection.

One level, it's easy to understand how people fall victim to social engineering. Who doesn't like the idea of getting something for free? Fear, guilt and greed are powerful motivators, easily capable of overriding rationality. But in a larger sense, it is simply unbelievable that people fall for such low-level scams as the Sober.p worm.

I have a suspicion why this keeps happening. I recently observed two focus groups where eight users discussed their attitudes to security. At the beginning they were all asked how they competent they thought they were at dealing with security issues. Almost all of them gave themselves seven or eight out of ten.


As the discussion went one, it became clear that the best of them was a five, and the majority knew even less. They thought they were better informed, better protected and savvier than they actually were.

It wasn't that they were stupid, it's just that they underestimated the risks and overestimated their chances of avoiding them. If you knew all the speed cameras were switched off, wouldn't you be tempted to drive a little faster?

As Woody Allen once said, I'd like to leave you on a positive note, but would two negative ones do instead? This week has convinced me that the biggest security problem is in people's brains. Unless behaviour starts to change, we're going to see a lot more "free world cup tickets" in future. Quite simply, when it comes to geeks bearing gifts, it pays to be paranoid.

Matthew Stibbe writes a new column every fortnight. Sign up to our security bulletin to read them.

Sign into Microsoft Small Business+ for free web-based training and software support.

sign in
Security information

Find a local Microsoft Small Business Specialist to help with your IT needs

Microsoft Small Business SpecialistMore info >

What do you want your PC to help you with?

What do you want your PC to help you with?

Free business newsletters - subscribe now

Our free newsletters are packed full of business advice and ideas - plus all the latest news

Security information

Get the latest bulletins and updates direct from Microsoft