The Targets and The Training
From Fortune 500 companies, to kids and retirees, and everyone in between, we are all potential targets of social engineers. Social-Engineer.org (SEORG) looks at the tactics, how they are used against us, and how we can all identify them to our benefit. It provides free resources for everyone, because everyone can be a victim of a social engineer’s tactics. We, as humans, are the targets. We are the targets and we are the training. Let’s break this down…
Social Engineering AKA Human Hacking
You might ask, how it could be that one type of training could truly be for everyone? And, equally as thoughtful a question could be, why is it important to learn about social engineering? In this case, the answer to both is simple – social engineering targets humans.
The influence and manipulation tactics in social engineering have long been used by scammers and con artists, often with devastating results. Technology continues to change, and it outpaces our own evolution. Put another way, our behavior as humans, socially and from a psychological standpoint, changes incredibly slower than technology does. This is what social engineering exploits.
Social engineering is an attack vector that relies heavily on human interaction and often involves influencing people to do something that may or may not be in their best interests. There are multiple tactics used that are nothing more than psychological and physiological know-how applied from one human to another. Astonishingly, social engineering attempts and exploits simply rely on a person’s psychology and the weight of social norms. Attempts can include phishing, vishing and in-person attacks.
Susceptibility
Children, adults, professionals, retirees – we are all susceptible. Basically, anyone that’s human can become a target. Anyone that’s a target can become a victim.
Children utilize social engineering methods early in life. They make use of multiple methods, with the most common focused on a parent’s desire to make the child happy. Just as they can sweet talk you into forgiving them for leaving their Hot Wheels cars at the foot of your bed, an adult can generally convince a child of just about anything, especially through the use of fear.
A child that feels an adult is nice, approachable, amiable and likable is likely to place trust in that adult. This is a form of social engineering, at times, on the part of the adult. This of course can have a range of outcomes – some of those outcomes can be brilliant, like the teacher that cajoles a class into learning. But some of the outcomes can be devastating, like the adult that takes advantage of a child. All of this can be reduced to social engineering. Therefore, teaching children how to identify social engineering techniques is invaluable in any case. Right up until you try to sweet talk them into going to sleep and they call you out on your tactic, or worse, try to negotiate with you.
Adults are just as susceptible to social engineering attacks. As humans, we like people who like us. We tend to flock to those that don’t continually contradict or challenge us in unproductive ways. We like it when people validate us and our beliefs. These are all tactics that a good social engineer can use over the course of a conversation. More deceitfully, they can employ these same tactics in a phishing email and over the phone.
Using Psychology Against Us
Social engineering, boiled down, means using something we all have in common against us – being human. Drilling down into this a little more, we’ve listed the cunning and artful ways in which our own psychology may be exploited.
Urgency
Social engineers use language that instills a sense of urgency in their victims. This creates a sense of pressure and a need to make a decision on the spot. This, of course, is used by many salespeople too, but with far less damaging consequences… usually. Unless you’ve just bought three George Foreman grills because they were “definitely the last on earth.”
Helpfulness
In real social engineering attacks, not all tactics are built upon negative human tendencies. Sometimes just feeling that someone truly needs our help is enough. Giving a small, tiny tidbit of information, like your boss’ email, doesn’t seem such a big hurdle when “Doug” is convincingly telling you he will be fired if he doesn’t get this presentation sent to him now. He’s also just had a baby, which is why his computer is broken with all his contacts still on it. Baby puke is devastating in more than one way. Plus, he’s on the night feeds so his wife can sleep. He’s a real gentleman, you know.
To top it off, his boss is looking for a reason to fire him, so if you would only let him know the email address, he can keep his wife from having to go back to work early and he can keep it all together for one more day.
It’s human to not only want to help, but to feel stressed as a third party merely reading about this. Sometimes all of the tactics used are stressful for the target. Human empathy can be used against us.
Greed
More often than not, performing an action, will get you a reward. This can take the form of a “competition” or a referral program in which you’ll get $50 for simply clicking the link and looking over some information for a company looking to employ someone you once worked with. A classic example is of course the Nigerian Prince scam. To be rich, just give over your bank account number. There’s a Nigerian prince that would love to give you his fortune.
Fear
Fear is one of our most powerful motivators as humans. Whether in the form of a phony email that your online bank account has been compromised and requires a password change, or an urgent bank security notice, these scams rely on our fear of something bad happening because we didn’t react either at all or quickly enough.
At Social-Engineer, LLC (SECOM) we can proudly say we never use fear when simulating the bad guys for our clients. At our corporate site Social-Engineering.com, you can read the reasons why.
Side Stepping Social Engineering
Humans love a story. It’s arguably how our species has come so far. What we do not like is when the story doesn’t match up to our perception.
To sidestep social engineers, follow verified processes, raise awareness through trusted third-party vendors, and create a culture where talking about these tactics openly and honestly helps both internal awareness and effects real change. To this, processes may seem like a cop out but allowing process to outweigh those natural tendencies requires little more than a moment of critical thinking and follow through. The next time someone calls you asking for your manager’s name or your email, ask them theirs and tell them you will call them back. The next time your child bargains with you to keep their room tidy if they can watch TV ten minutes longer, maybe just give in to it. They might be the greatest social engineers on earth. Alas, they are unemployable for us (for now).
Written by: Maxie Reynolds
Sources:
https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/
https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.org/framework/attack-vectors/impersonation/
https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/nigerian-letter-or-419-fraud
https://www.social-engineer.com/
https://www.social-engineer.com/services/
Images:
https://unsplash.com/photos/PMxT0XtQ–A
https://unsplash.com/photos/mvo-xJE1oFg