Being the victim of social engineering can be rather degrading and leave you feeling violated. It is key to remember that at no point are you to blame for being the victim of these types of cyber attacks, after all, it is the social engineer's intention to get your private information without you being aware. As the Internet becomes more accessible, the number of targets just become more, and in turn, leads to more people becoming victims. It is of utmost importance to become more vigilant against such attacks, and the only way to become more vigilant is to understand why people fall prey to such attacks. If you want to reduce the chance of getting tricked and become more cyber aware - you are in the right place.
There are many psychological vulnerabilities and triggers, used by social engineers, which aim to influence the individual’s emotional state, and in turn their cognitive abilities, in order to obtain information. To successfully protect yourself against these psychological triggers, you will need to have a clear understanding of these triggers in order to recognise them during a social engineering attack.
These psychological vulnerabilities are:
- Strong Affect: When strong emotion is triggered, such as anger, excitement, fear or anxiety, an individual’s cognitive ability may be seriously hampered. This may include their ability to evaluate the situation and reason logically. A phishing attack could be used as an example. These are messages that are designed to masquerade as authentic messages, in order to obtain another individual’s authentication credentials and confidential information illegally for financial gain. E-mail communication is one of the easier methods of reaching a large distribution of the population resulting in phishing attacks being mostly executed via this route in order to ensure the success of the attack.
- Overloading: This technique has a time element, with the result that the individual becomes cognitively pacified or compliant, through the bombardment of a series of hurried persuasive axioms.
- Reciprocation: “One good deed deserves another”; Social exchange theory states that individuals, on receiving a kind gesture from another, feel obligated to reciprocate with kindness. The social engineer might create a problem for the individual, only to fix it again, in order to make the individual feel obligated to reciprocate by disclosing information.
- Deceptive Relationship: To obtain information, the social engineer will identify an individual to purposefully build and establish a relationship. This is done with a particular purpose, individuals tend to share information freely within established relationships.
- Diffusion of responsibility and moral duty: The individual is made to believe that their actions - to disclose information, even though it is against policy - will have greater benefits and important beneficial consequences, such as to help save an employee or helping the institution, and that they will not be held solely responsible for their actions
- Authority: By the social engineer portraying an authority figure, the individual is more likely to comply with the request to disclose information, as an authority figure almost implicitly elicit a conditioned response to adhere to their wishes and demands, combined with a fear of punishment if the individual may appear to undermine their authority by verifying their legitimacy.
- Integrity and Consistency: Individuals have an intrinsic desire to uphold their commitments, even if it were not their own.
These triggers are exploited during social engineering attacks on unsuspecting victims. Being subjected to these psychological triggers leads to individuals feeling a sense of anxiety, which leads to them making incorrect decisions. You would expect that someone would be able to use these clues of discomfort to detect that they are being targeted by a social engineering attack, however, the sense of discomfort only leads to poor decision making. The human reasoning and decision-making process is very complex, and sometimes we make mistakes, that’s why it is difficult to detect these social engineering attacks themselves.
Apart from knowing the psychological triggers that social engineers utilise, it is also useful to be aware of the typical techniques that are used. The techniques are all based around the ways that the initiates communication to the potential victim. The following five techniques are the ones which are currently the most popular.
Pretexting: Pretexting is a form of social engineering in which an individual lies to obtain privileged data. A pretext is a false motive. Pretexting often involves a scam where the liar pretends to need information in order to confirm the identity of the person he is talking to. After establishing trust with the targeted individual, the pretexter might ask a series of questions designed to gather key individual identifiers such as confirmation of the individual's social security number, mother's maiden name, place or date of birth or account number.
Phishing: Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site. Phishing is an example of social engineering techniques being used to deceive users. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.
Phone Phishing: Voice phishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward. It is sometimes referred to as 'vishing'. Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now, however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to make it difficult for legal authorities to monitor, trace or block. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Baiting: A “lucky winner” gets a free digital audio player. In fact, this offer compromises any computer it is plugged to – No so lucky huh !! This is a classical definition example of baiting social engineering. Baiting is like the real-world ‘Trojan Horse’. Therefore it uses physical media and relies on the curiosity or greed of the victim. It’s in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiting person may offer users free music or movie downloads if they surrender their login credentials to a certain site. Online schemes do not restrict these attackers. Attackers can also focus on exploiting human curiosity via the use of physical media.
Quid Pro Quo: In a Quid Pro Quo attack scenario, the hacker offers a service or benefit in exchange for information or access. The most common quid pro quo attack occurs when a hacker impersonates an IT staffer for a large organisation. That hacker attempts to contact via phone the employees of the target organisation then offers them some kind of upgrade or software installation. They might request victims to facilitate the operation by disabling the anti-virus software temporarily to install the malicious application.
You can read more on this topic in the FREE E-BOOK which provides the reader with an introduction on social engineering and the typical techniques that are employed by Social Engineers. When you understand why we fall prey to the tactics used by Social Engineers, one becomes much more vigilant against these type of attacks, also allowing you to better identify these attacks a lot quicker.