Impersonation – CompTIA Security+ SY0-401: 3.3


Impersonation is the foundation of social engineering. In this video, you’ll learn how the bad guys use impersonation to circumvent your security technologies.

<< Previous Video: TailgatingNext: Hoaxes >>


A bad guy who is very, very good at social engineering will also be very, very good at impersonation. He wants to pretend that he’s somebody he’s not, whether he’s walking into an organization by tailgating in and pretending he is somebody with a telecommunications company, or whether he’s on the phone to you pretending he’s somebody with the help desk. They now have a way to pretend that they are somebody that you should trust. And that is really the key.

You’re getting information from your dumpster diving. You’re getting information from some of the phishing that’s gone on or from a third party, and you’re calling up and saying, hi, I’m from the help desk. Hi, I know who you are. Hi, I work in this building or you’re giving some specific details that would provide some level of trust.

You want to also consider that the people impersonating may be getting these attacks and they may be talking to you as somebody who’s higher in rank. Well, I’m your boss’ boss. I’m in charge of the entire internal audit organization so you better help me with this information that I’m looking for. So don’t be intimidated by these things if somebody calls. There’s nothing wrong with verifying that. And if they are from internal audit, maybe they’d appreciate somebody would be checking in on who that might be and make sure that they are legitimate.

Sometimes if you’re calling you can throw a bunch of technical details around. Well, we’re having problems with your computer because we’re having catastrophic feedback due to the depolarization of the differential magnetometer. So we need to resolve this issue so I need your password. So if you’re able to confuse somebody with a lot of technical jargon can sometimes get them to oh, I had no idea there was a depolarization of the thing. Here’s my details for logging in so maybe you can fix that.

And of course, just be a buddy. If you want to impersonate somebody, talk about what happened yesterday. How about that problem that we had in the building? Hey, did you watch the game last night? Did you see our local team that did this particular thing? And it makes you sound like you’re right there in the building with them even though you may be thousands of miles away, trying to hack into their organization.

The bad guys will try to fool you into giving up your personal details. So as a rule of thumb, never give out personal information. Don’t give out your username. Don’t give out your password. Don’t give out telephone numbers or email addresses. It’s just something you should keep in mind when somebody’s talking to you over the phone.

Somebody from the help desk doesn’t need your password. They have access to whatever they need to gain access to without having your specific login credentials. Also don’t disclose any personal details about where you work, departments, what you do, name, last name.

Those types of things can be used later on when you can call the next person on your list and say, I was just talking with Mary in accounting. She was telling me that she was having problems as well. And by gaining more information, it can make somebody else trust them just a little bit more.

You should always verify. There should be third parties, an intranet page, a phone list. Oh really? Let me call you back at the help desk and we can take care of that. Let me call you from another phone.

So you can try to verify this based on these people that are calling. And if you can call them back and verify that it’s an internal number, it’s something you can verify, then you can trust the person you might be talking to. In most organizations, verification should be something that’s encouraged.

It should be part of your security policy. It should be part of the normal things that you do. And if you have this as a standard set of operating practices in your organization, nobody’s going to be mad that you were checked on to get security. It’s something that’s accepted. And if you’re going to stop the impersonators, you need to set up this corporate culture of verifying before any private information is given out.