Social engineering

Contrary to popular belief, most computer break-ins do not come about because the cracker has special software, computer equipment, or special knowledge. They happen because the cracker was able to obtain sensitive information from some weak point in the chain of information, usually from unaware people.

Social engineering is this art of conning a naive person into revealing sensitive data. A common approach is dumpster-diving for a piece of paper with a username? and password on it. Another ploy is to obtain a username through a similar method and call a secretary or low-level bureaucrat on the telephone, posing to be that person (or systems administrator) and requesting a password change or feigning a forgotten password.

The most common has become tricking the user into thinking you are an administrator and requesting the password for debugging purposes. Users of Internet systems frequently receive messages that request password or [credit card]? information in order to "set up their account" or "reactivate settings" or some other benign operation. Users of these systems must be warned early and frequently to not to divulge sensitive information, passwords or otherwise, to people claiming to be administrators. In reality, administrators of computer systems rarely, if ever, need to know the user's password to perform administrative tasks.