The Psychology behind Social Engineering
But what is social engineering? Well, to make it simple, we can just say that social engineering is the art of manipulating people to perform an action that will provide a benefit for the attacker. That action could be in the form of disclosing information, executing an action (such as executing a command), or even disabling or bypassing a security measure.
In other words, social engineering is focused on “hacking” the users, not the systems.
Now, to better understand social engineering, it is imperative to understand the psychology, principles, and tactics behind those attacks. Attackers will leverage a set of psychological concepts, principles, and tactics to successfully manipulate the victim. They will then use the art of manipulation to influence the victim to either reveal sensitive information (passwords, users, etc.) or even perform a given action (such as disabling the antivirus).
Understanding those tactics will help you to identify when you are a target and avoid falling into these elaborate attack vectors. For this reason, in this chapter, we will cover the following main topics:
- The art of manipulation
- Tactics and principles used to influence the victims
- Developing rapport
- The weakness behind the empathy
- Leveraging influence tactics for defensive security
Understanding the art of manipulation
Examples of those actions can be as follows:
- Install a given software (which may contain malware)
- Remove some security settings or applications (disable the antivirus, firewall, etc.)
- Execute an unknown command that may impact the confidentiality, integrity, or availability of data (for example, delete a table using SQL commands)
- Create or edit an active user (that will provide access to the attacker)
- Change system configurations (to facilitate access to data)
Additionally, examples of the types of information that the attacker may want to gather from the victims are as follows:
- User credentials (usernames, passwords, etc.)
- Trade secrets
- Organizational information (which can be used later for whaling attacks)
- Financial information
- Corporate sensitive information (clients, price lists, etc.)
- Sensitive personal information (used for impersonation attacks)
While most people believe they will never fall victim to this type of attack, the truth is that we are all susceptible to a social engineering attack.
In fact, social engineering attacks have evolved into well-fabricated scenarios that are carefully crafted to leverage a series of physiology paradigms to effectively trick and manipulate the victim without them even noticing that they are under attack.
Therefore, organizations must invest time and resources to include social engineering awareness campaigns as part of their cybersecurity strategy to reduce the risks of employees falling into these types of attacks.
A common mistake is to focus social engineering awareness campaigns on IT people, while in reality, attackers prefer to attack other employee profiles, as follows:
- Non-IT employees: Attackers assume that non-IT personnel are less aware of the consequences of executing a given command. The following figure shows a typical example of how an attacker can manipulate an employee into executing a command to delete hundreds and even thousands of records in a database:
Figure 1.1 – Manipulating non-IT employees
- Overwhelmed users: We all know that some companies are happy to assign overwhelming workloads and job responsibilities to some employees. This is, of course, a terrible business practice, but it can also become a vulnerability that attackers may want to exploit. For example, as shown in the following figure, an attacker can manipulate an overwhelmed employee to gather access to a restricted location (which will enable the attacker to perform a super dangerous physical attack):
Figure 1.2 – Manipulating overwhelmed users
- Sales teams: Sales teams are normally overstretched to achieve sales quotas at the end of the quarter. Attackers can leverage that stress to manipulate the victim to perform a restricted action, as highlighted in the following figure:
Figure 1.3 – Manipulating sales teams
- Executive assistants: Executive assistants handle a lot of sensitive information that is a potential target for attackers. Therefore, executive assistants are a common target that attackers may try to manipulate to gain access to that information. The following figure shows an example of how an attacker can impersonate an IT manager to obtain a password reset code to gain access to the senior manager’s account:
Figure 1.4 – Manipulating executive assistants
Of course, those are only a few examples of groups that are more prone to be attacked by a social engineering attack, but in the end, what we want to highlight is the importance of ensuring that the organization is well-trained and aware of the threats of social engineering attacks.
The bottom line is that users are the biggest layer of defense to prevent those attacks in your organization, therefore, ensuring that everyone is well-trained to recognize those attacks should be a key component in your cybersecurity strategy.
Now, while manipulation is the art used by attackers, there are a lot of psychological principles behind this that enable the attacker to successfully manipulate users not only to perform those actions but to do it without doubting the intention of the attacker. Now, let’s review them in detail.
Examining the six principles of persuasion
Those tactics were highlighted by Robert Cialdini (behavioral psychologist) in the book The Psychology of Persuasion, in which he divides those tactics into six key principles, as shown in the following figure:
Figure 1.5 – Key principles of influence
Now, let’s review each of those principles:
- Reciprocity: There is a strong sense of payback when we receive something from others. Therefore, an attacker may use this technique by giving you something or doing a favor for you to influence your brain to do something form them later.
Figure 1.6 – Example of using reciprocity to influence a victim
- Commitment and consistency: If you commit to something, it is likely that you will honor that commitment, even if the original commitment or incentive slightly changes. That is exactly what the attacker wants. First, the attacker will make you commit to something reasonable and then slightly change it at the last minute to something you may have doubts about, but due to the previous commitment, you are likely to accept and proceed. The following figure shows an example of how an attacker can use this to gather physical access:
Figure 1.7 – Example of using commitment to influence a victim
- Social proof: This principle is based on the fact that people’s behaviors are influenced by what others do in a given place (the culture of the place). For example, in companies with a mature cybersecurity culture, tailgating is seen as an unacceptable behavior. However, the same action (tailgating) can be seen as just being polite in other companies with less cybersecurity awareness as illustrated in Figure 1.8:
Figure 1.8 – Example of using social proof to influence the victim
- Authority: It is more likely that people will follow an order when it is given by a person with authority (or at least pretending to have it). Impersonating a cybersecurity expert, influencer, or any other credible or known person is a typical case of using authority to influence the victim into executing a questionable action. As seen in Figure 1.9, the attacker calls the victim, impersonating someone from the IT or security department. Then, the attacker requests the victim to provide a code that they supposedly sent to them. However, what the victim does not know is that the code they are giving to the attacker is actually a password reset code that will give full access to the attacker:
Figure 1.9 – Example of using authority to influence the victim
- Liking: People are more willing to trust others they like, and an attacker may use that principle to influence a victim. Liking is not limited to physical attraction; in fact, there are many other methods that attackers may use to gain your trust, as follows:
- By sharing some characteristics in common (such as saying we live or grew up in the same city or have similar ancestors)
- By sharing the same passion (for example, the same series, the same idols, the same favorite music group, etc.)
- By following the same team or groups (in sports, politics, etc.)
Figure 1.10 – Example of using liking to influence the victim
- Scarcity: This tactic is commonly used in marketing to influence you to purchase something (which, most of the time, is something that you don’t need). This tactic is incredibly powerful, which is why it is present in almost all social engineering attacks. Here, the attacker will push the victim by making them believe that they will lose a big opportunity if they do not leverage it right now!
Figure 1.11 – Example of using scarcity to influence the victim
Now, there are other key tactics and techniques used in social engineering attacks that are not included in that list such as developing rapport, empathy, and pretexting, so let’s review them in detail.
While similar to the principle of liking, rapport goes beyond that by creating a relationship or bond with the victim.
In fact, building rapport is about creating a trusting relationship with the victim with the objective to make the victim feel comfortable and thus more prone to execute a given task or to give some sensitive information. As humans, we tend to share data freely with people we trust, and thus for an attacker, developing an instant rapport is key.
There are many tactics that an attacker can leverage to create rapport, so let’s see the most used tactics to develop rapport.
Using appropriate body language
To develop rapport, it is key that the victim doesn’t perceive you as a potential threat; instead, you should represent a friendly figure that is there to help and listen. For example, for an attacker, a stressed or nervous attitude may cause distrust in the victim, while a relaxed attitude will be reflected in a more friendly body language that will make the victim feel more engaged and comfortable.
Figure 1.12 – Example of using body language to influence the victim
As seen in the preceding figure, a person with relaxed body language gives confidence to the victim to perform a dangerous action (in this case, to provide a security PIN).
Using your knowledge to help
Being arrogant by presuming deep technical knowledge will not help to build rapport. Instead, attackers will look for opportunities to help others with their technical knowledge. This tactic will help to build an almost instant rapport with the victim because first, the victim is now in debt to the attacker, but also because the attacker unconsciously set themself as a technical expert in the eyes of the victim.
Figure 1.13 – Using your knowledge to build rapport
As seen in the preceding figure, the attacker uses their knowledge to build rapport with the victim while also setting themself as an expert. Then, they leverage it to execute the attack by giving a false link to the victim that will collect the victim’s credentials.
Let’s be honest, we all like compliments, and this is another great way to build rapport. Of course, it needs to be subtle; as mentioned, this is an art form, and abusing any tactic may be perceived by the victim and that will not cause the desired effect. Instead, this needs to be natural and genuine to ensure the victim will feel it in that way. Some examples of compliments are saying something nice about the clothes they are wearing, or any other characteristics of the person such as the color of their eyes, their lovely smile, or even their attitude.
Figure 1.14 – Example of using compliments to influence the victim
As seen in the preceding figure, the attacker compliments the victim by stating that they are very smart and cares about security. That compliment creates rapport and the attacker will leverage that to trick the user to put their password into a non-secure page, allowing the attacker to capture the victim’s credentials.
Supporting other points of view
There are people that may feel discriminated against because their opinion is part of a minority group. In those cases, an attacker may leverage that to create instant rapport by supporting that point of view in front of the victim. As mentioned, this needs to seem genuine and to achieve that, the attacker must understand the topic they are supporting very well in order to be able to drive a friendly conversation with the victim to further their relationship of trust.
Figure 1.15 – Example of influencing the victim by creating a rapport
As seen in the preceding figure, an attacker would take the opportunity of someone complaining about security policies to agree with the victim (to build rapport) and then to offer a “solution” to avoid that security policy, which, in the end, will enable the attacker to access data and corporate systems.
Empathy is defined as the ability to understand and share the feelings and emotions of others. In this case, an attacker will put themself in a difficult situation in the hope that the victim will feel empathy and then be more vulnerable to fall into a trap to give information, perform a questionable action, or even bypass a security process to help the attacker during the difficult situation.
Figure 1.16 – Using empathy to bypass some security controls
Notice that to enhance the chances of success, the attacker will search for a victim that is more likely to feel empathy for a given situation. For example, in this case, the attacker targeted a victim that is a mom and, therefore, is more likely to feel empathy for a situation in which a supposedly pregnant girl is suffering, and thus the victim would be willing to bypass a security process to help the pregnant girl.
Leveraging influence for defensive security
The good news is that you can also apply those psychological principles (such as influence) to enhance the cybersecurity culture in your organization.
In fact, here are some examples of how you can leverage some social engineering concepts in your organization:
- Social proof: You can leverage influential people in your company to promote cybersecurity best practices. A good implementation example is to provide a hands-on cybersecurity awareness workshop to those influential employees and name them Cybersecurity Advocates. This will help you motivate those influencers to enhance cybersecurity awareness across the organization and also to bring more to join your program as Cybersecurity Advocates.
Those kinds of programs work better if people are also awarded a digital badge that highlights their new Cybersecurity Advocate title.
- Scarcity: You can apply scarcity in many ways to enhance your cybersecurity programs, such as the following examples:
- Announce that only X number of employees are eligible for the Cybersecurity Advocate title
- Limit the number of people that can attend awareness training (which brings the feeling that they will attend an exclusive training)
- Make users think that installing a given cybersecurity tool is not an obligation but a privilege that they need to pursue (because they are getting a license for free)
As mentioned before, this technique is more powerful when combined with other tactics.
- Authority: One of the biggest challenges of cybersecurity campaigns is to get users involved. People are normally busy doing their day-to-day activities, and additional assignments (such as cybersecurity awareness training) are not a priority for most of them. However, you can leverage the principle of authority by asking a C-suite executive (CEO, CTO, etc.) to be the sponsor of the initiative. That sponsorship means recording a video or sending an email to the entire organization to highlight the importance and relevance of the cybersecurity initiative. Another great way to deliver this message is during a corporate event such as a Town Hall meeting. This will surely help to bring people’s attention to your cybersecurity awareness program.
Some authors suggest that the executive should also highlight the consequences of not attending the required training; however, that may bring a negative connotation to your initiative, and from experience, it is better for people to be motivated to learn rather than forced by fear.
All other principles can also be used (and mixed) to support your cybersecurity initiatives, and now, it is up to your imagination to create the perfect blend to improve your cybersecurity strategy.
In this chapter, we learned the art of manipulation and how attackers leverage a number of techniques to influence the actions of the victims. We also reviewed the most common profiles targeted by attackers using social engineering.
Then, we moved to a deep dive into the actual tactics and principles used by attackers to influence the victims during a social engineering attack, which included key topics such as scarcity, liking, social proof, and others.
Additionally, we explained what developing rapport means and why this is relevant during a social engineering attack. After that, we moved to a new section in which we explained how attackers leverage people’s empathy to manipulate the victims to bypass some security processes.
We then closed an amazing chapter by reviewing how we can also leverage those principles to support our cybersecurity strategy.
Now, get ready because, in the next chapter, we will acquire a deeper understanding of social engineering by reviewing the different types of social engineering attacks.
To further your knowledge of the various topics discussed in the chapter, refer to the following resource:
- System and Method to Prevent Scams by Cesar Bravo, Peter Bahrs, and David Blyler. This patent shows a cognitive system capable of identifying and preventing scam attacks: https://patents.google.com/patent/US10944790B2/en?inventor=cesar+bravo.