Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Here are three reasons why it works.
1. Expert Influence
Why would we divulge account information when a caller claims to be from our bank?
In short: We trust the bank to take care of our money and if the bank says there’s a problem, we’ll do anything to fix it.
We are so focused on the problem presented and the desire to fix it that we don’t take the time to determine if the person calling is really who they say they are and we immediately want to begin the recommended steps to fix the perceived problem.
This is an example of what psychologists call informational social influence—meaning, if we are not sure what to do in a situation, we are far more likely to trust other people for help.
Social engineers use this completely natural problem-solving strategy to their advantage. They present the victim with a situation that deceptively influences the person to use the social engineer as a source of information.
Psychologists have found that some people have become especially reliant on others for information in situations of ambiguity and/or crisis.
In ambiguity, many people are trying to figure out what the right thing to do would be or the next step they must take. When faced with this uncertainty, people are far more open to being influenced by others. Enter the well-rehearsed social engineer and they can make stealing information from you seem like they’re actually doing you a favor by helping you through the ‘next steps’ that you had no clue how to navigate.
In crisis, when you may be feeling fearful or vulnerable, you’re also more likely to look to others for direction. Social engineers intentionally use fear and often urgency to manipulate people. If you’re worried that you’ll lose money, have your identity stolen, or go to jail, you won’t appropriately consider what information you’re divulging. Furthermore, social engineers often convey a sense of urgency to support the illusion that you’re in the midst of a crisis.
We’re naturally inclined to follow the counsel of those who appear more knowledgeable about a situation than we are; add ambiguity and fear to the situation and people will flock to and follow the instructions of the nearest expert to regain control and safety.
2. Attention to Authority
We are taught from an early age to give special attention to those in positions of authority. In an inbox full of email, we will open, read, and respond to a message from our organization’s CEO before we take a look at any messages from our co-workers. In most cases, there is added pressure to react quickly and perform the task flawlessly if we receive a request from our boss or someone else in authority.
This is why social engineering schemes like CEO fraud and the IRS scam work. Criminals posing as CEOs take advantage of our natural trust in reaction to authority. We see an email that appears to be from our CEO and because of our natural reaction to feel under pressure to act quickly, we won’t take the time to determine if they are really who they say they are.
The social engineer knows, from a psychology perspective, they can rely on the authority the CEO title carries to prevent people from wanting to disappoint the authority figure.
Social engineers don’t just rely on bullying and threats to get the information they need. They also use charm, friendliness, humor, appreciation, and flattery. These characteristics are disarming and create a sense of trust.
Further, a social engineer’s goal is to get in and out without being remembered. Think about it: What kind of customer interactions do you remember and talk to your co-workers about? Do you talk about the customers who politely answer all your questions, or do you talk about the crazy customers who screamed and cursed at you?
A pleasant interaction is far less memorable than an unpleasant interaction. This makes it easier for social engineers to avoid red flags, slip under the radar, cover their tracks, and raise any red flags.
How to Prevent Social Engineering
From an organizational standpoint, security awareness and policies are both critical in preventing social engineering attacks.
On the policy side, you need to ensure your procedures take social engineering into account. Do your employees follow a process to accurately verify customers or employees before giving them access to privileged information? Could a social engineer easily gain access to the information you use to verify their identity or right to access? Identify what parts of your processes can be exploited and update your procedures accordingly.
Here are two good practices to teach your employees:
- No matter who someone claims to be, always verify. It may seem awkward at first, but verifying that someone is who they say they are should become second nature.
- Don’t break procedure for “important” people. If a given request usually goes through a certain channel or requires some sort of documentation, then those rules always apply equally to everyone. Procedures aren’t there to slow things down—procedures are put in place to prevent fraud and mistakes.
In addition, make sure lines of communication are clear and consistent, and that they effectively communicate information like:
- This type of request will always come from this location.
- A request above a certain threshold requires face to face approval.
- This group should be verified in this way.
- This group is privy only to specific pieces of information.
Additionally, to protect your customers, make them aware of what normal procedures are for correspondence and interaction within your organization, and what information your company representatives would and would not ask them. If you teach people to recognize social engineering tricks, you can beat criminals at their own game.
Protecting your organization from social engineering attacks is not just about having the right policies—social engineering is also a people problem. This is where social engineers can use likability, obedience to authority, and expert influence to their advantage. Even with strong policies in place, if employees are not keeping these dangers and what to do about them top of mind, social engineers will be able to convince an employee to bend the rules and gain access to sensitive data.
To solve the people problem, you must have a strong culture of security in your organization. Your employees need to know what kinds of attacks to look out for, and understand what to do to prevent them. Keeping this information at top of mind will encourage them to not break from procedure, no matter how convincing the social engineer is.
Increase Awareness About Social Engineering
Creating a stronger, smarter workforce that is ready to spot social engineering attacks is the most effective way to defend against social engineering attacks. Century Solutions Group and Arctic Wolf® Managed Security Awareness® can help create a culture of security-minded employees by preparing them to recognize and neutralize social engineering attacks and avoid human error.
We can help you prevent cyber risk at your organization and empower your employees to identify cyber risks and report mistakes that could expose sensitive data and result in noncompliance issues.
Nathan Caldwell – Arctic Wolf