Jane enters a government facility by simply talking to employees and 'piggybacking' through the doors. Guards ignore her since she is with a group of employees, some of whom swipe their cards to unlock the door. Once inside, she breaks off from the group and finds her way to the server room. She finds an administrator along the way and convinces him that she works for a vendor, was installing some software and accidentally locked herself out of the server room. He dutifully lets her in the server room without further question. She is left alone with the core servers, well on the way to gaining unauthorized access.

A cyber security audit is being performed at a company. The auditors know about an upcoming layoff and create a CD with fictitious data containing a virus, label the CD with the eye catching title "Proposed Layoffs", and plant the CD in a bathroom at the company. An employee finds the CD, inserts it into his machine to see if he or others he knows are on the list. Afterwards, he dutifully turns it in to his supervisor who does the same, then continues to pass it up the management chain, each person infecting their machine. The auditors were able to gain access to senior management's machines by exploiting natural human curiosity.

In the first example, the social engineer bypassed many checks in the normal identification system since she was friendly and quickly gained the trust of others and did nothing to raise suspicion. The second example played upon the fears and curiosity surrounding an upcoming layoff.

What you can do:
- Don't permit 'piggybacking' of an unknown person into locked areas, especially Property Protection Areas.
- Don't give out personal information or login/passwords. No one, including system administrators and computer security staff, has any reason to know or ask for your password.
- Do not trust unsolicited email attachments, web links, phone calls or electronic media like CDs or DVDs.
- Don't believe someone who claims to be working on computer systems in your area of responsibility if you don't recognize them. Ask co-workers if someone recognizes them or ask to see their ID badge. Call a security guard if their identity cannot be established.
- If you believe you have been the victim of a social engineering exploit, don't make it worse by keeping quiet, report it. If it involves a computer that you believe has been compromised, call x2345 and report it as a computer security incident, or send email to computer_security@fnal.gov and explain what has happened. Don't try to solve the problem yourself, you might destroy clues that could help in the analysis of what happened.

See http://security.fnal.gov/socialengineering.html for more true examples of social engineering exploits.