Information security professionals frequently warn of the threat that phishing poses to an organisation. Technical controls are often coupled with staff awareness campaigns to help prevent and/or mitigate the clicking of links and the downloading of attachments from untrusted sources.
That said, it is easy to forget that at the root of all social engineering is the psychology of influence.
An attacker is attempting to directly exploit a human victim into providing access or revealing information.
In short, we are the vulnerability.
Sophisticated social engineering manipulates natural human traits that make us want to comply with the attacker.
Examples include:
- The request comes from someone who is likeable or who we empathise with
- The request comes from someone deemed an authority figure, creating an element of apprehension or fear
- The request seems appropriate because others appear to have already complied (social validation)
- The request implies scarcity, so we fear we’ll miss out on something nice
- The request invokes a feeling of reciprocity, so we feel inclined to return a favour
- The request reminds us that we have previously made a commitment and we wish to remain consistent with that.[1]
A skilled social engineer will tailor any combination of the above to create maximum pressure on a victim.
Attacks might be preceded by significant open-source research and smaller social engineering efforts to obtain pieces of information that should, in theory, be known only by an organisation’s insiders.
This helps to build an attacker’s credibility and assist with targeting.
It is common to convince ourselves that we’d easily spot a social engineering attack and couldn’t possibly fall for one.
Yet it happens, day in, day out, all over the world. With that acceptance of potential fallibility, what warning signs should we look for in our interactions?
- Out of the ordinary requests, regardless of whether you think the information might not be of value
- Anything that invokes authority, particularly when coupled with a sense of urgency
- Negative consequences for non-compliance with the request
- Name dropping of other people in your organisation who have already helped
- Compliments or flattery that quickly have you liking a person that you have never met before.
Social engineering played a significant role in one of the most high-profile breaches in history.
Edward Snowden targeted colleagues who had more privileged access than he did.
Unsuspecting staff handed over their personal log in credentials (in clear breach of NSA policy) because Snowden convinced them he couldn’t do his job effectively without the higher-level access.[2]
He had a security clearance (so was deemed trustworthy), other staff had already complied, and he came across as a nice guy.
A textbook social engineering attack that manipulated basic human traits.
Snowden’s colleagues were just too eager to please.
[1] K.D. Mitnick et al, The Art of Deception: Controlling the Human Element of Security, Wiley, Indianapolis, 2002, p.246-249
[2] Reuters Technology News, Snowden persuaded other NSA workers to give up passwords, https://www.reuters.com/article/net-us-usa-security-snowden-idUSBRE9A703020131108 (accessed 4 August 2021)