One of the most used ways of getting information about someone is through social engineering. This is a technique consisting in abusing people’s trust to get the information you want. This usually has to be done in a very subtle way, as not to allow the other notice you are tricking him.

One of the most famous hackers using social engineering was Kevin Mitnick, usually getting all he wanted using only a phone. Phishing is another form of social engineering, where people are sent an email asking for bank account information to “confirm some settings”. People who don’t know very much about security or who are trustful send this information and their money is stolen from the bank.

So, how to get a password with social engineering? If the victim doesn’t know very much about computers an email sent to him with forged headers, simulating to be from Microsoft or Hotmail administration, asking for their password to confirm their identity can work very well.

If the victim is more knowledgeable, more subtle attacks have to be used. Sending malicious software to him is a commonly used one. This software can retrieve the password from the computer if it’s saved somewhere or can trick the user to enter this password. For example, there’s one software of this kind which simulates the MSN Messenger login screen but, in reality, sends this information to the attacker’s email.

To protect against this kind of attacks we must make sure not to trust anything arriving by email or by instant messaging if it hasn’t been requested previously. Even then, a good antivirus might detect malicious software and protect us from it. Also, don’t ever give your password to anyone, neither by phone or by email, even if it’s requested by a supposed administrator of the site, as they never need to know it.