It always amuses me to read these recent news articles about social engineering and what a threat it is. I swear the BBC reported on much the same thing in the middle of last year.<p>At the end of the day there is nothing much you can do to stop the social engineering. Sure we can minimise it to the point where intrusions are no longer so simple (good education is the main key there) but the process is fundamentally reliant on human error.<p>Maximise education, minimise data exposure, get over the fallacy that internal data need not be encrypted and compartmentalize departments of people and you have done all you can. Then it is up to a vigilant IT department and giving staff the confidence to challenge potential intruders.
Education has to go both ways, though. Sure, employees and users need to to know the dangers (for instance - Facebook users need to know how dangerous it is to give Facebook the password to their email accounts) but Facebook thinks it's dangerous for it's users to understand security.<p>The first time I ever saw a Phishing scam on Facebook I took a screen shot and emailed it to Facebook, because I was almost certain that Phishing was not occurring on a large-scale on their web-site at that time. The result? They blocked my account for almost a week. I guess the fact that I knew what a Phishing scam was made me "suspicious".<p>If the IT department where I work called me and asked for my password, I would hesitate to refuse because odds are, they'd think I was trying to hide something. They honestly wouldn't understand why it was a bad idea for me to give them my password.