Cyber security isn’t just about computer systems and networks, the people who use these technologies also play an important role. Most ransomware attacks begin with the human factor – social engineering. A recent threat monitor assessment indicates that nearly one-third of employees fall victim to social engineering attacks. Malicious actors exploit human emotions to lure the unsuspecting victim into sharing sensitive personal or professional data. These scams are usually all over the news and most people are familiar with these attacks. So, why are they still effective? Let’s explore some of these tactics to uncover the psychology behind social engineering.
Social Engineering and Human Emotion
Social engineering can be described as influencing someone to take an action that may or may not be in their best interest. Malicious actors use emotions as a social engineering tool, to persuade their victims to take an action they normally would not. Falling victim to this type of attack does not indicate lack of knowledge or intelligence. For instance, in a recent adversarial simulation conducted by Social-Engineer, LLC (SECOM), even cyber security professionals disclosed sensitive information during a vishing test. Why are these attacks effective even when targeting professionals in the field? It all comes down to the impact that emotions have on human behavior. For example, malicious actors use influence techniques to trigger strong emotions such as fear. Triggering an “amygdala hijack” or a reaction which overrides logic-based thinking. This leads a person to take an action they normally would not. Here are some examples:
Fear
Fear is an unpleasant, often strong emotion resulting from anticipation or awareness of danger. Malicious actors commonly use fear to manipulate their victims because it is one of the most powerful human emotions. In addition, fear is easy to elicit. For instance, imagine receiving a phony email that says: “Attention. Fraudulent activity has been detected on your account. Change your password now.” How would you feel? Another much more fearful attack is a “virtual kidnapping” scam, in which the victim is told that a loved one has been kidnapped. Through deceptions and threats, the bad actors coerce the victims to pay a ransom.
Greed
The Cambridge Dictionary defines greed as “a strong desire to get more of something especially money.” Greed is part of being human and, for this reason, social engineers find it to be a very successful tool. An example of this is the “419 Nigerian scam”. Cybercriminals pose as wealthy foreigners, via phone or email, in need of help moving millions of dollars from their homeland. They promise a hefty percentage of the fortune as a reward in exchange for a small sum. Moved by greed, the target shares their bank account information thinking they will receive the reward.
Helpfulness
From a young age, most of us are taught to be helpful and obedient in order to be perceived as a good person. Malicious attackers can exploit this willingness to help others. For example, threat actors often target new employees for their willingness to be helpful and excel in their new job. In most cultures we are taught to obey superiors and authority. So, when a person in a position of authority makes a request, few will challenge the validity of it. Knowing this, bad actors may impersonate the boss via a phishing email requesting a favor that needs to be handled quickly. This “favor” may be a request for financial (gift card, account numbers, etc.) or other sensitive information (login credentials, corporate information, etc.).
Urgency
In most cases, a social engineering attack will include the component of urgency. A sense of urgency can get the victim to act before they think. Examples: There’s a suspicious charge in your account that needs your prompt attention; or you receive an urgent request from your boss, who you can’t reach at that time.
Curiosity
Curiosity is another technique used in social engineering. The attackers promise something of interest or advantageous to deceive the victims. This type of attack could be as simple as sending an email stating “Your Amazon purchase for the amount of $800.00 is ready to ship. Click here to view your order.” This type of email or text may trigger the curiosity of the target, who may feel compelled to click on the link.
Principles of Influence
In addition to using human emotion as tools to manipulate their victims, criminals are also masters at implanting principles of influence. Some of these may include reciprocity, commitment, social proof, authority, liking, and scarcity. The more we learn about these psychological aspects that affect us the more self-aware we can become. Whenever you feel that you’re taken over by strong emotion, whether triggered by someone, something, or a situation, take a step back and give yourself some time before you act.
Psychology is at the root of social engineering. However, understanding human behavior and implementing principles of influence are not just for criminals or to be used for nefarious purposes. Learn how to understand the science behind the psychological, physiological, and artistic, aspects of human communications by attending our upcoming Foundational Application of Social Engineering (FASE). This interactive 4-day course focuses on the aspects of human decision making, and why it is important to understand these mechanisms. Whether you are coming as a manager, sales person, adversary simulator, parent, instructor, or any other role you may have, FASE will help you see how you can benefit from this knowledge in your career and in life.
Written by:
Rosa Rowles
Human Risk Analyst at Social-Engineer, LLC