Social Engineering
Defining social engineering
Social engineering involves the exploitation of human psychology and tendencies to make the victims of such practice convey private information to the advantage of hackers. The practices of social engineering are no different from traditional frauds. The efficiency of social engineering derives from one aspect of human nature: humans are naturally (in the sense of automated to be) altruistic social beings. One must understand that technology does not depend on hardware and software alone, but one must be keen on the social context and social dynamics implied within modern technology.
Psychological bases of social engineering
Since social engineering preys on the simple vulnerability of human psychology that humans are helpful by default, it would be important to discuss other psychological exploits that make social engineering effective. These psychological tendencies or triggers include the following:
Strong affect means heightened emotions. The social engineer introduces strong affect to the victim per emotionally loaded events, such as winning a grand prize, or a piece of shocking personal news. When the victim is in such an emotional state, they enter into counterfactual thinking.
Overloading is when the victim is bombarded with convincing statements (that are not necessarily true) within a short period of time, causing the victim to leave such statements unchallenged. Since such statements are unchallenged, chances are that the victim accepts the statements as factual. This may occur through arguing from an unorthodox perspective.
Reciprocation is the tendency of people to return a favor, approximately equal to the amount of the original helper, or more. As a consequence, the original helper is perceived as an ally and not someone potentially suspicious. Reverse social engineering might exploit this tendency. Reverse social engineering occurs when the hacker causes a problem on the target’s network or computer and then makes themselves available to fix the problem, making them perceived as a “hero” by the victims, even if they only volunteered to fix the problem, even if that problem is still being resolved.
The social engineer could initiate deceptive relationships with the victim by sharing information and discussing a common enemy. This could also be achieved if the social engineer appears that the victim and the social engineer have similarities. As a consequence, the victim would trust the social engineer more.
Diffusion of responsibility and moral duty occurs when the social engineer convinces the victim that they are not totally responsible for their actions. The target is made to feel that they are making decisions that will hugely impact their job, the company, or another person, which will lead the target to easily comply with the hacker.
People are conditioned to comply or trust perceived authority. Such authorities are difficult to question, along with the intentions of the same authority.
People have the tendency to have integrity and consistency in their (not necessarily wise) commitments. People have a tendency to believe that others are expressing their true attitudes when they make a statement unless there is strong evidence to the contrary. There is a strong tendency to “do what you say you are going to do” even if one is suspicious that the request may have been illegitimate.
Ultimately, all of these triggers are effective because they stem from one cause: trust. The social engineer must ensure that they have gained trust from the victim to ensure that their manipulation would work throughout their entire ploy. This may be done through incremental means; the social engineer may ask for petty requests at first then that request grows until the final goal is reached. Another way for the social engineer to gain trust is to release suspicion, that is, creating a (seemingly) secure scenario for the victim. This may be done through the following examples: disguising as a coworker, and changing one’s voice to a female one (since it is believed that female voices are more successful at persuasion).
Social Engineering in Action
Types of social engineering attacks
These are the following attacks that the social engineer might inflict. As we go along with each type of attack, try to recognize the psychological triggers that are used.
Check out this vishing example video made by Fusion Media!
Fundamental personal measures against social engineering
The following measures could be executed at the individual level:
- Avoid opening any emails or suspicious links from untrusted sources. Check for the link’s context first then scan the site with anti-malware.
- Do not give tempting offers from strangers the benefit of the doubt. Do not be that gullible, browse the web to verify the authenticity of the reward.
- Lock your laptop whenever you are away from your workstation.
- Purchase antivirus and anti-malware. Keep them up to date.
- Read your company’s privacy policy.
- Be cautious when sharing information with someone who you do not fully know, even if that stranger seemed authoritative and reliable. Check and verify their identity first.
- Do not let a stranger connect to your wireless network.
- Use a paper shredding machine for disposable printing materials.
- Use multi-factor authentication. Multi-factor authentication is the usage of more than one means to verify that the owner accesses some personal materials such as phone numbers or SMS.
Multi-layered defense against social engineering
Here are the different layers or levels of the defense:
- Foundational Level: Security Policy addressing social engineering
- Parameter Level: Security Awareness Training for all users
- Fortress level: Resistance Training for Key Personnel
- Persistence Level: Ongoing Reminders
- Gotcha Level: Social Engineering Land Mines (SELM)
- Offensive Level: Incident Response