Social engineering is a term used for a wide variety of activities used by threat actors to manipulate or trick end users into bypassing security controls or providing sensitive information (such as login credentials) — that they then use to obtain unauthorised access to the systems they target.
In today’s digital landscape, social engineering has become a pervasive threat to individual and organisational security. For years cybercriminals have mastered the art of hacking human behaviours to manipulate us into revealing sensitive information or performing malicious actions. But what are the mechanisms which drive this manipulation? And can we protect ourselves against these clever tactics?
To answer these questions, let’s dive into the world of social engineering and explore the psychological principles that underpin its success. We can refer to the six principles of persuasion identified by Robert Cialdini in his famous book “Influence: The Psychology of Persuasion.” You are not surprised that hackers are interested in it, right? It should be noted, however, that these principles are used not only by cybercriminals but also (predominantly) by marketers and salespeople to induce people to take action. So how do they do it? There is no magic, but a solid knowledge of human psychology. Let us explain by starting with the principals and techniques.
Social Engineering Techniques Used by Cybercriminals
The Power of Reciprocity
Have you ever received a gift from someone, only to feel obligated to return the favour? This is the principle of reciprocity in action. Cybercriminals use this principle to their advantage by offering “gifts” or services that seem too good to be true, with the malicious motive of gaining access to our personal information or compromising our IT systems. Fun fact: research in social psychology has demonstrated that when individuals receive a holiday greeting from an unknown unfamiliar person, roughly 20% will reciprocate with a similar gesture. This is from another research: offering a complimentary small treat at the end of a meal by a waiter can boost tips by an impressive 18-21%.
In the case of cyber security, a phishing email may promise a free antivirus scan or a discount on a popular software program in exchange for your login credentials. The offer seems legitimate and appealing, but in reality, it’s a trick to get you to reveal sensitive information.
The Scarcity Principle
If something is scarce, we immediately want it more! Imagine being told that a limited-time offer is available, only to be left feeling anxious and uncertain if you don’t take advantage of it right away. This is the scarcity principle at work. Cybercriminals use this principle to create a sense of urgency, making us more likely to act impulsively without thinking through the consequences.
For example, an email may claim that your account will be deactivated unless you click on a link and verify your information within a certain (limited!) period of time, e.g. 24 hrs. The threat of losing access to your account creates a sense of panic, leading you to act quickly without fully considering the risks involved. Another typical example is a phishing attempt that claims: “We’ll double your Bitcoin if you donate to XYZ website within the next 24 hrs. This is a one-off offer only for you!” This tactic leverages the scarcity principle, potentially inducing panic in victims who feel compelled to act quickly or risk missing out on the supposed opportunity.
The Authority Principle
Who do we trust more: a stranger or an expert in their field? Cybercriminals know that authority figures have a significant impact on our decision-making process. They often impersonate experts or use fake credentials to gain our trust and manipulate us into taking certain actions.
For instance, an email (or a phone call) may claim to be from a reputable well-known organisation or a government agency, with the sender posing as an expert in their field. The sender may request sensitive information or ask you to perform a specific action, all seeming solid, legitimate and trustworthy.
The Consistency Principle
Have you ever committed to something, only to feel obligated to follow through on your commitment? A classic example is the “foot-in-the-door” technique, where researchers found that people were more likely to agree to display an unsightly billboard on their lawn if they had previously agreed to place a small postcard in their window supporting a Drive Safely campaign. This initial commitment serves as a psychological anchor, making it easier for individuals to commit to larger, yet still consistent, changes. By obtaining these commitments in writing, influencers can increase the likelihood of successful influence. It does not come as a surprise that cybercriminals use this principle to get us to take small steps that ultimately lead to compromising our security. Take a look at the following scenario:
Scenario: A malicious actor, “John”, is trying to convince a victim, “Sarah”, to donate to a fake charity.
Initial Commitment: John sends Sarah an email saying: “I saw that you’re passionate about helping animals. Can you spare 5 minutes to sign our petition?”
Sarah agrees and signs the digital petition.
Amplification: John follows up with another email saying: “Thank you for signing our petition! We appreciate your support. Would you like to learn more about our charity and how we’re making a difference in animal welfare?”
Sarah agrees and starts learning more about the charity.
Consistency Commitment: In his next email, John asks Sarah to donate $50 to the charity. He frames it as: “We’ve been really impressed by your commitment to helping animals. A small donation of just £50 would go a long way in supporting our cause.”
Sarah is more likely to agree to donate because she has already committed to signing the petition and learning about the charity, making her feel obligated to follow through with a consistent action.
The Liking Principle
Who do we trust more: someone who is familiar and likeable or a stranger? Many research studies show that we tend to form trust with people we like or who show us affection. Also, science tells us that there are three fundamental factors that influence our liking: Firstly, we tend to develop a strong affinity for individuals who share similar values and interests to ours. Secondly, we are drawn to people who offer genuine praise and acknowledgement. Lastly, we forge meaningful connections with those who collaborate towards common objectives.
Cybercriminals know very well that building rapport with us can increase the probability of getting us to take certain actions. They often use social engineering tactics like chatting with you on social media or pretending to be a friend or acquaintance.
For instance, an innocent-looking email may claim to be from a friend who is having trouble accessing their account and needs your help to resolve the issue. The request seems friendly and harmless, but it’s actually a way for cybercriminals to gain access to your or your friend’s accounts and steal sensitive information.
The Consensus Principle
If many others are doing something, it must be correct. Social engineers may use this principle by presenting their requests as part of a larger movement. Imagine being part of a group that has come to a collective decision. Don’t we often feel more inclined to follow their lead? Cybercriminals use this principle to create a sense of consensus around a particular issue, making us more likely to take action without questioning the legitimacy of the request.
For example, an email may claim that everyone in your organisation has received a similar message and is being asked to perform a certain task. Would you say “no” when everyone already said “yes”? The sense of consensus creates a feeling of fear of missing out, leading you to act quickly without fully considering the risks involved, moving straight into the trap.
AI and Social Engineering
In addition to human social engineering tactics described above, attackers have also leveraged artificial intelligence (AI) to launch targeted attacks. These days we are dealing with deep fakes and voice cloning techniques which bring social engineering to a completely new level. AI-powered chatbots and voice assistants can be used to impersonate a legitimate source, creating a strong sense of familiarity and trust with their victims. These AI-powered agents can then ask for sensitive information or request that we perform certain actions.
Furthermore, machine learning algorithms can analyse our behaviour and preferences to create personalised phishing emails or messages that are tailored to our needs, wishes or specific interests (e.g., based on publicly available information and the context of the conversation). This means that attackers can use AI to launch highly sophisticated targeted attacks, making them even more difficult to detect and prevent.
How Risk Crew Can Help
At Risk Crew, we recognise the importance of protecting ourselves against social engineering attacks. To combat this threat, we offer comprehensive security awareness training programs for your personnel that educate them on the tactics and techniques used by cybercriminals. Our training sessions focus on identifying and resisting social engineering attacks, as well as best practices for handling suspicious emails and phone calls.
Additionally, we can conduct simulated social engineering attacks to test your employees’ skills in recognising and responding to these types of threats. Through these exercises, you can identify areas for improvement within your organisation and later receive targeted training to ensure that all personnel are equipped with the knowledge and skills necessary to effectively prevent social engineering attacks. By investing in employee education and awareness, you can significantly reduce the risk of falling victim to these tactics and protect your organisation from danger.
Some Additional Tips for Avoiding Social Engineering Attacks:
- Use strong passwords and enable multi-factor authentication: Protecting your accounts with strong passwords and enabling multi-factor authentication can significantly reduce the risk of falling victim to social engineering attacks.
- Always verify identities: Be cautious of unsolicited requests from unknown sources, especially those that claim to be from authority figures or claiming to be experts in their field.
- Be wary of any time-limited offers: Scarcity tactics are designed to create a sense of urgency. Take your time and think carefully before acting impulsively.
- Educate yourself: Learn more about social engineering tactics and how to identify them. Stay informed and vigilant against evolving threat landscapes.
What Will the Future of Social Engineering Hold?
Social engineering attacks are a serious threat to individual and organisational security. By understanding how cybercriminals manipulate us using psychological principles, we can take proactive steps to protect ourselves against these tactics. As technology continues to evolve, social engineering tactics will become increasingly sophisticated. It’s essential for individuals and organisations to monitor the situation and develop strategies to prevent these attacks.
By understanding the psychological principles that underpin social engineering attacks, it is possible to take proactive steps to protect ourselves and our businesses against manipulation and exploitation. Embrace risks, before they embrace you.
Learn About Our Social Engineering Testing Contact Us For A Quote Or A Chat