- We sometimes don’t have the time, energy, or patience to fully examine each decision before acting on it.
- Our brain push for shortcuts, particularly when it comes to relating to others.
Any malevolent operation by an individual or a group of attackers that includes exploitation of human psychology to obtain confidential information, money, or other malicious objectives, is a type of social engineering attack.
There has been an uptick in social engineering attacks in the cybersecurity landscape, and the most recent one is where Nikkei lost $29 million in a Business Email Compromise (BEC) attack. The attacker here scored against the intrinsic nature of humans—‘fear of bosses’. According to IBM’s X-Force Threat Intelligence Index 2019 report, 29 percent of attacks involved phishing emails, whereas 45 percent of those involved BEC scams, also known as “CEO fraud” or whaling attacks.
Despite securing your data center, cloud deployments, building's physical security, and investing in defensive technologies with the right security policies and processes in place, a crafty social engineer can still weasel his way right through (or around) all the defenses.
How hackers exploit human psychology?
Humans take a phenomenal number of decisions every day without even realizing that some may turn out to be critical in the later phase. We take so many decisions in a day that we sometimes don’t have the time, energy, or patience to fully examine each decision before acting on it. So, our brain starts pushing for shortcuts, particularly when it comes to relating to others.
Here’s what attackers take the benefit of during their malicious act:
- Reciprocity: People don’t like to feel indebted to others, and love to give back. With reciprocity, an attacker may call, chat or email the target to offer help for a common problem. After doing a favor, now the attacker tricks them into giving their information such as date of birth, address, company they work in, email password, etc.
- Consistency: An attacker may attempt to be frank and befriend the target through consistent effort. The target’s decision to give up confidential information is generally based on societal pressures and living up to community expectations.
- Scarcity: This technique relies on hidden motivations of identification for the target. A phishing email arrives saying it contains a link that must be opened in order to continue with the account or it will be immediately disabled is purposed to incite identification fear.
- Social proof: When people are unsure of how to behave, the target will look for proofs of appropriate behavior, where attackers would have already claimed that many others have benefitted from performing the requested action.
- Authority: We tend to comply with requests or orders by authority figures, either out of respect or fear. Phishing attacks impersonating someone from higher authority, or some client, (while also labeling the email as ‘urgent’ sometimes) can get their target to abide by the request or order. BEC scams and extortion attacks fall in this category.
- Validation: What to do when somebody attempts, in fact, rather pretends to walk in our shoes? We develop empathy. An attacker calls up and tries to get validation by asking if the target has opened a fraudulent phishing email yet, leading them to believe that it is a legitimate email.
Social Engineering Threats to Keep an Eye on
Know what’s the companies weakest security link? - It’s their people. It is almost an art how hackers, instead of relying on technical hacking skills, use human psychology to perform actions or gain confidential information.
Here’s the list of top attacks one need to raise their security shield against today:
- Business Email Compromise: Cybercriminals impersonate company’s supervisors, CEO, or vendors to ask for seemingly legitimate money transfers, gaining confidential information, or infecting the targets through malicious attachments in spoofed emails.
- Pretexting: Attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victims’ personal information.
- Baiting: Attackers leverage various offers of free music or movie downloads, for example, to entice users into handing their login credentials.
- Tailgating: Tailgating or piggybacking gets an attacker access to a restricted area and gather confidential information about the premises, employees or systems.
- Extortion: The crooks here take advantage of cheap, easy access to credentials compromised from other attacks, or bought on dark web, to convince targets they’ve been breached. Sextortion is a common threat in this category since it entails embarrassment.