No products in the basket.
What Is Social Engineering? And How Can You Stay Safe?
Phishing is a huge problem – and it’s growing. So why do so many people get caught out? It all hinges on the psychology of social engineering
The prospect of fraudulent phishing emails is a truly scary one.
Think about the last busy day you had, where you felt like you were being pulled in umpteen different directions.
Then suddenly, you receive an email, purportedly from Microsoft or Google, stating that you’ve been locked out of your online productivity suite. Suddenly, it looks like if you want to get those documents completed by 5pm, then you’ll have to reset your password now – using this specific link.
Could this day get any worse?
Well, if you did indeed click the link, and that email didn’t come from who it said it was, then yes. Your day could get much worse.
Whether the cybercriminal steals your password, plants malware on your machine, or uses your device as a way to leapfrog to other devices on your network, it’s bad news.
And as attack vectors go, phishing is growing. The DCMS identified a rise in businesses experiencing phishing attacks – from 72% in 2017 to 86% in 2019 (Source: DCMS, 2020).
Fraudulent phishing emails aren’t just haphazardly thrown together, either. Con artists use a slew of manipulation tactics to get victims to do their bidding. These tactics are commonly known as “social engineering”.
What is Social Engineering?
Social engineering refers to a number of psychological manipulation tactics that criminals use to coerce their victims into sharing sensitive information or granting access to valuable resources.
Though social engineering is commonly seen in phishing scams, social engineering tactics are used by confidence tricksters of all kinds, both online and offline. On the whole, these “human hacking” methods exploit our propensity to act rashly and trust willingly.
What Might a Social Engineering Attack Look Like?
Socially engineered phishing attacks can take numerous forms. However, there are a handful of tell-tale scenarios that pop up time and time again…
- A Message from a Trusted Source – Phishing messages or emails can claim to come from a trusted party like a colleague or friend. They take advantage of your curiosity and trust, urging you to click a dodgy link, download a (probably infected) file, or to extort money from you or your company.
- Phony Verification Prompts – This kind of attack involves a message that’s purportedly from a trusted provider such as your bank, email provider, or crucial productivity suites like Office 365. The message will likely state that there’s an issue with your account and you need to click this specific link to solve it. This may lead to a phony login page that will steal your username and password, but it could also silently feed you malware at the same time.
- Something for Nothing – Sometimes phishing attempts will notify you that you’ve won a prize or you’ve inherited a large sum from a long-lost (read: non-existent) relative. You might even receive an advance-fee scam email claiming to be from foreign nobility needing your help to move some money around. These scams appeal to our innate love of a freebie, but also lean on our genuine willingness to help.
- Fake Blackmail Scams – These are scams that claim to have salacious, compromising information about you or recordings of you. They’ll threaten to forward what they have to your nearest and dearest if you don’t pay the Bitcoin ransom. It’s all bluff, of course.
It’s worth noting that these emails are carefully calculated and orchestrated with psychology in mind. They’re trying to get you engaged and on board with their compelling pretences.
The Anatomy of a Social Engineering Attack
Before we get into the psychology behind social engineering, we need to understand the lifecycle of a social engineering attack. Cybercriminals are becoming increasingly more sophisticated in their approach, putting whole teams of people into planning and executing their scams.
Preparation
Before they reach out to their prospective victims, criminals need to lay the groundwork. They will identify potential victims and collect as much background information as they can to make their attack seem more believable.
This can be as simple as looking up names, contact details, and job titles on LinkedIn, or identifying a company’s directors through Companies House.
Laying the Trap
Once the criminals have enough information about their potential victim, it’s time for them to spring into action. This is where they reach out to the victim, crafting a believable (or sometimes not so believable) story to get them hooked.
Development
Sometimes social engineering scams are over once a victim opens a dodgy link or pays a phony bill.
However, other times, there’s a period where the criminal and the victim have to interact a little before the scam is complete. In this case, the hacker quickly and subtly takes control of the situation, and builds on their initial story to add believability, urgency, heightened emotion, or any of the factors we’ll discuss below.
An ongoing campaign of interaction can be risky for the criminal as it gives more opportunity for them to get caught, but they may be willing to gamble if the potential gain is big enough.
Exit Strategy
Once the scam is complete, the criminal then needs to draw things to a close. In certain circumstances they may need to engineer the appearances of a logical conclusion, other times they may simply allow their charade to fade into the annals of history. But either way, you can bet that they’ll go some way to cover their tracks and make it look like nothing has happened.
How Does Social Engineering Work?
Social engineering is simply the science of influencing people to take a certain course of action. Granted, it’s action that may starkly go against a victim’s better judgement, but it’s simply a matter of influence nonetheless.
There are numerous lenses that we can use to examine the complexities of human grey matter. We all act slightly differently depending on who we are, but simplified frameworks can help us quickly understand and identify what’s going on in our minds.
In his book Influence, Dr Robert Cialdini identified 6 key factors at play within the psychology of influence. Confidence tricksters know all too well how to use these factors against us, though it’s important to stress that these 6 principles aren’t inherently negative aspects of our psyche. They can be used as a force for good in negotiation, debate, sales, and marketing.
However, they can also be used for evil…
- Reciprocity – This is our tendency to return a favour. If a con artist scratches our back (or at least seems willing to), we’re more willing to scratch theirs. This factor also touches on a psychological reaction called “Rejection Then Retreat” – basically, when someone initially says “no” to an offer, they can often be persuaded by an alternative, smaller or more modest offer.
- Scarcity – A scam based around scarcity appeals to our innate fear of missing out. There are numerous ways that scammers use scarcity to get us to act. They may threaten to revoke your access to a crucial service, state that a payment needs to be made within a certain stringent time frame, or even state that something desirable is only available to the first x-many respondents. Time-based scarcity can be very powerful to a criminal as it doesn’t give people the chance to step away and think things through. There are elements of scarcity at play in perceived uniqueness too – the prospect of being personally singled out to benefit from an “exclusive” win, offer, or advanced-fee scheme. Don’t be fooled – scammers send thousands of these messages a day!
- Authority – People tend to obey apparent authority figures – even if those figures command them to do strange or unconscionable things. Social engineering attackers will sometimes frame their request as coming from “powers that be” like the Police, law courts, HMRC, parking enforcement services, or TV Licencing. An element of authority is also at play when a scam seems to come from a bank, building society, mortgage provider, or anything with financial implications.
- Consistency and Commitment – We’re generally more likely to do things that consistently resonate with our sense of self-identity. We all generally like to think that we’re nice, amicable people, so phony charity pleas or requests to help someone out financially try to appeal to our better nature. We may also like to think that we’re fast and efficient in the work we do, so we may think nothing of quickly paying a fake company invoice that appears to have been forwarded by a legitimate supplier.
- Liking – We generally go along with requests from people we like. Whether that’s someone who has a likeable personality, is physically attractive, or favourable in some other way. Unsolicited attention from an attractive, flirtatious stranger on social media is often an attempt at a scam. The “liking” principle also applies to brands that we know, like, and trust. Scammers can easily get people on board by fraudulently hiding behind a widely trusted brand identity like Microsoft, Netflix, or Amazon.
- Social Consensus – We’re wired to view acts favourably when we perceive that it’s something that other people are doing. Criminals may make it seem like other people are complying with their requests and getting favourable results to give an air of legitimacy. Small, consensus-focused text and graphics can have a profound impact on our decision making!
There’s one last thing to note here, and that’s that confidence tricksters of all kinds – online and offline – often use charged, heightened emotions to snag us when we’re vulnerable and/or malleable. Whether they use fear, excitement, curiosity, anger, despondency, embarrassment, or guilt; most emotions can be hijacked to get us to act against our best interests.
How Do You Stay Safe From Social Engineering?
First, and most importantly, there’s staff training. You should train all of your employees – from entry level employees to C-Suite execs – about how to spot a social engineering attack. It can be as simple as sharing information like this blog post, but phishing training workshops and awareness tools really help to establish good habits and embed that learning in the long-term.
Network filtering tools like next-gen firewalls, gateway antivirus sandboxing, and content filtering controls can all go some way to eradicate email phishing attacks, especially when it comes to protecting you from messages that use known, established threats.
However, nothing will ever render you totally immune from attack. Depending on your setup, newer threats may still sneak though undetected, especially if they don’t directly refer to a known threat link or embedded malware. There’s also the fact that social engineering attacks don’t necessarily have to come through your IT; they can happen over the phone (vishing), over text message (smishing), or even in-person. This is why training and staff vigilance is absolutely paramount.
Multi-Factor Authentication (MFA) tools will keep you safe in the event that an important password becomes compromised. Following a traditional username and password login, MFA tools will request that the user enter one or more further pieces of authenticating information before granting access to sensitive online resources. This ensures that those accessing your systems are actually who they say they are, and puts extra roadblocks in the path of cybercriminals.
Remember: it’s far better to be suspicious of a genuine email and respond late than it is to fall for a scam. Don’t take unexpected emails at face value; take a step back, take a deep breath, and think critically. Get a second opinion on the email if you need.
To leave you with a handy resource, check out this video that shows you how to identify phishing emails using real-life examples.
Do you find yourself fending off a lot of phishing emails? Wondering how you would handle a successful cyberattack? Well, drop us a line for a free cybersecurity health check! Our experts will talk you through your current cyber-preparedness measures and provide free advice where we can. There’s no obligation to buy anything from us – we may even be able to maximise the security solutions you’re already using! Get in touch with the team today on 0808 1644414 or request a call back.
