Here's a short intro to the idea of social engineering. Criticism is welcome.
______________________________________________________________________________

Many people acquainted with the world of computers often wonder how much technology the hacker must have experience in to steal passwords. The sad truth--none. Anybody trained in SOCIAL ENGINEERING can simply call some one up and ask for a password.

Take the following example. A hacker wants administrative access to a competitors web site. He know the site is part of the SUPERSITE NETWORKS, a free hosting company. He also knows that he is a SirenAlert Firewall customer. To get the password, he goes through the following steps:

He begins by signing up an e-mail address under the name of SUPERSITE SECURITY. He has it cleverly (and illegally) disguised as a SUPERSITE IT office. Now for the social engineering kill. His first letter:

Dear SUPERSITE customer,
on 8/13/04 a computer with this your IP address gained illegal access to confidential database files. Your site will be suspended from the SUPERSITE NETWORK for 365 days, until 8/13/05. If there is some mistake please contact us at SUPERSITESECURITY@itpros.com

Sincerely,
David Chang
SUPERSITE Security Manager

His second letter:

Dear SUPERSITE customer,
on 8/17/04 your computer attempted to access a confidential database file. This is your second violation of SUPERSITE security. This is a strict violation of SUPERSITE Security Polocies and License Agreement. This is also a violation of Federal Law. Your site will be deleted from the SUPERSITE NETWORK, and we will take prompt legal actions.

If you have any questions, please contact me at SUPERSITESECURITY@itpros.com

Sincerely,
David Chang
SUPERSITE Security Manager

His third letter:

Dear valued SirenAlert Firewall customer,
our logs show that remote access was taken of your computer on 8/13/04 and 8/17/04. Because we value our customers' privacy, we would like to tell you that if remote access is taken of your computer it may be due to a firewall defect. To download a patch for this, go to sirenalertsecure.com

SirenAlert Team

In the process of this, the attacker also gains access to the victim's credit card number when he downloads the 'update' for his firewall. The victim doesn't even remember that SirenAlert's real URL is sirenalert.com.

In a panic, and fearful of being sued in federal courst, the victim responds:

Dear Mr. Chang,
I in no way tried to access SUPERSITE's database. I recently received a notive from SirenAlert, my firewall provider, that some one gained remote access to my computer on the very dates your database was hacked.

Sincerely,
Chris Tomforde

Now the social engineer sees an oppurtunity to come up huge:

Dear Mr. Tomforde,
I am sorry to hear that some one gained remote access to your computer and sincerely believe you. You have my deep apologies, but SUPERSITE NETWORKS does not allow computers with security faults to access their server. If you would like to discuss this further, feel free to call me from 10:00 AM to 5:00 PM at 882-335-7797.

Sincerely,
David Chang

After the lighthearted mood and easy belief of Chris' story, Chris calls the attacker to discuss this in-depth.

Attacker: Hello, David Chang, how may I help you?
Chris: Hi, it's me, Chris Tomforde from the Network. You know, I'm the one whose computer was hacked...

A: Oh yes. Actually there is an alternative to being suspended from the Network. You could sign up for a Secure Account, which would still allow you to run and administer your website.

C: Oh Great! Can I do that?

A: Sure, you just have to verify your old account. What was your username and password?

And, just like that, the attacker has his username and password.