We now live in a world where holding the door open for someone balancing a tray of steaming hot coffee—she can’t seem to get her access card out to place it near the reader—is something we need to think twice about. Courtesy isn’t dead, mind you, but in this case, you’d almost wish it were. Because the door opens to a restricted facility. Do you let her in? If she really can’t reach her card, the answer is clearly yes. But what if there’s something else going on?
Holding the door open for people in need of assistance is considered common courtesy. But when someone assumes the role of a distressed woman to count on your desire to help, your thoughtful gesture suddenly becomes a dangerous one. Now, you’ve just made it easier for someone to get into a restricted facility they otherwise had no access or right to. So what does that make you? A victim of social engineering.
Social engineering is a term you often hear IT pros and cybersecurity experts use when talking about Internet threats like phishing, scams, and even certain kinds of malware, such as ransomware. But its definition is even more broad. Social engineering is the manipulation or the taking advantage of human qualities to serve an attacker’s purpose.
It is imperative, then, that we protect ourselves from such social engineering tactics the same way we protect our devices from malware. With due diligence, we can make it difficult for social engineers to get what they want.
Know thy vulnerable self
Before we go into the “how” of things, we’d like to lay out other human emotional and psychological aspects that a social engineer can use to their advantage (and the potential target’s disadvantage). These include emotions such as sympathy, which we already touched on above. Other traits open for vulnerability are as follows:
The majority of us have accidentally clicked a link or two, or opened a suspicious email attachment. And depending on how quickly we were able to mitigate such an act, the damage done could range from minor to severe and life-changing.
Examples of social engineering attacks that take advantage of our carelessness include:
- Homograph attacks
- Blackhat SEO/SEO poisoning
- Tailgating or piggybacking
You seem to have received an email supposedly for someone else by accident, and it’s sitting in your inbox right now. Judging from the subject line, it’s a personal email containing photos from the sender’s recent trip to the Bahamas. The photos are in a ZIP-compressed file.
If at this point you start to debate with yourself on whether you should open the attachment or not, even if it wasn’t meant for you, then you may be susceptible to a curiosity-based social engineering attack. And we’ve seen a lot of users get duped by this approach.
Examples of curiosity-based attacks include:
- Malware campaigns in social networking sites (“Hot video” Facebook scam, celebrity scandals)
- Other scams that bait you with exclusive content (videos related to accidents or calamities)
- “Who visited your profile” social media scams
- USB attacks
- Snail mailed CD attacks
According to Charles E. Lively, Jr. in the paper “Psychological-Based Social Engineering,” attacks that play on fear are usually the most aggressive form of social engineering because it pressures the target to the point of making them feel anxious, stressed, and frightened.
Such attacks make participants willing to do anything they’re asked to do, such as send money, intellectual property, or other information to the threat actor, who might be posing as a member of senior management or holding files hostage. Campaigns of this nature typically exaggerate on the importance of the request and use a fictitious deadline. Attackers do this in the hopes that they get what they ask for before the deception is uncovered.
Examples of fear-based attacks include:
- Business email compromise (BEC)/CEO or CFO fraud
- Blackmail/extortion (sextortion, ransomware)
- Cold call scams
- Rogue software (fake AV)
- Malware campaigns that pretend to be fake software patches
Whether for convenience, recognition, or reward, desire is a powerful psychological motivation that can affect one’s decision making, regardless of whether you’re seen as an intellectual or not. Blaise Pascal said it best: “The heart has its reasons which the mind knows nothing of.” People looking for the love of their lives, more money, or free iPhones are potentially susceptible to this type of attack.
Examples of desire-based attacks include:
- Catfishing/romance fraud (members of the LGBTQ community aren’t exempt)
- Certain phishing campaigns
- Scams that bait you with money or gadgets (e.g. 419 or Nigerian Prince scams, survey scams)
- Lottery and gambling-related scams
- Quid pro quo
This is often coupled with uncertainty. And while doubt can sometimes stop us from doing something we would have regretted, it can also be used by social engineers to blindside us with information that potentially casts something, someone, or an idea in a bad light. In turn, we may end up suspecting who or what we think we know is legit and trusting the social engineer more.
One Internet user shared her experience with two fake AT&T associates who contacted her on the phone after she received an SMS report of changes to her account. She said that the first purported associate was clearly fake, getting defensive and hanging up on her when she questioned if this was a scam. But the second associate gave her pause, as the caller was calm and kind, making her think twice if he was indeed a phony associate or not. Had she given in, she would have been successfully scammed.
Examples of doubt-based attacks include:
- Apple iTunes scams
- Payment-based scams
- Payment diversion fraud
- Some forms of social hacking, especially in social media
Empathy and sympathy
When calamities and natural disasters strike, one cannot help but feel the need to extend aid or relief. As most of us cannot possibly hop on a plane or chopper and race to affected areas to volunteer, it’s significantly easier to go online, enter your card details to a website receiving donations, and hit “Enter.” Of course, not all of those sites are real. Social engineers exploit the related emotions of empathy and sympathy to grossly funnel funds away from those who are actually in need into their own pockets.
Examples of sympathy-based scams include:
- Fake orphanages (prevalent in Cambodia)
- Disaster fraud, for which Fraud Magazine identified five primary categories: charitable solicitations, contractor and vendor fraud, forgery, price gouging, and property insurance fraud
- Cancer fraud
- Specific physical social engineering attempts, like this one
- Scams that take advantage of crowdfunding websites like Indiegogo, GoFundMe, or Kickstarter
Ignorance or naiveté
This is probably the human trait most taken advantage of and, no doubt, one of the reasons why we say that cybersecurity education and awareness are not only useful but essential. Suffice to say, all of the social engineering examples we mention in this post rely in part on these two characteristics.
While ignorance is often used to describe someone who is rude or prejudice, in this context it means someone who lacks knowledge or awareness—specifically of the fact that these forms of crime exist on the Internet. Naiveté also highlights users’ lack of understanding of how a certain technology or service works.
On the flip side, social engineers can also use ignorance to their advantage by playing dumb in order to get what they want, which is usually information or favors. This is highly effective, especially when used with flattery and the like.
Other examples of attacks that prey on ignorance include:
- Venmo scams
- Amazon gift card scams
- Cryptocurrency scams
Inattentiveness or complacency
If we’re attentive enough to ALT+TAB away from what we’re looking at when someone walks in the room, theoretically we should be attentive enough to “go by-the-book” and check that person’s proof of identity. Sounds simple enough, and it surely is, yet many of us yield to giving people a pass if we think that getting confirmation gets in the way. Social engineers know this, of course, and use it to their advantage.
Examples of complacency-based attacks include:
- Physical social engineering attempts, such as gaining physical access to restricted locations and dumpster diving
- Diversion theft
Sophisticated threat actors behind noteworthy social engineering campaigns such as BEC and phishing use a combination of attacks, targeting two or more emotional and psychological traits and one or more people.
Whether the person you’re dealing with is online, on the phone, or face-to-face, it’s important to be on alert, especially when our level of skepticism hasn’t yet been tuned to detect social engineering attempts.
Brain gyming: combating social engineering
Thinking of ways to counter social engineering attempts can be a challenge. But many may not realize that using basic cybersecurity hygiene can also be enough to deter social engineering tactics. We’ve touched on some of them in previous posts, but here, we’re adding more to your mental arsenal of prevention tips. Our only request is you use them liberally when they apply to your circumstance.
- If bearing a dubious link or attachment, reach out and verify with the sender (in person or via other means of communication) if they have indeed sent you such an email. You can also do this to banks and other services you use when you receive an email reporting that something happened with your account.
- Received a request from your boss to wire money to him ASAP? Don’t feel pressured. Instead, give him a call to verify if he sent that request. It would also be nice to confirm that you are indeed talking with your boss and not someone impersonating him/her.
Phone (landline or smartphone)
- When you receive a potentially scammy SMS from your service provider, call them directly instead of replying via text and ask if something’s up.
- Refrain from answering calls not in your contact list and other numbers you don’t recognize, especially if they appear closely related to your own phone number. (Scammers like to spoof area codes and the first three digits of your phone to trick you into believing it’s from someone you know.)
- Avoid giving out information to anyone directly or indirectly. Remind yourself that volunteering what you know is what the social engineers are heavily counting on.
- Apply the DTA (Don’t Trust Anyone) or the Zero Trust rule. This means you treat every unsolicited call as a scam and ask tough questions. Throw the caller off by providing false information.
- If something doesn’t feel right, hang up, and look for information online about the nature of the call you just received. Someone somewhere may have already experienced it and posted about it.
- Be wary when someone you just met touches you. In the US, touch is common with friends and family members, not with people you don’t or barely know.
- If you notice someone matching your quirks or tendencies, be suspicious of their motives.
- Never give or blurt out information like names, department names, and other information known only within your company when in the common area of your office building. Remind yourself that in your current location, it is easy to eavesdrop and to be eavesdropped on. Mingle with other employees from different companies if you like, but be picky and be as vague as possible with what you share. It also pays to apply the same cautious principle when out in public with friends in a bar, club, or restaurant.
- Always check for identification and/or other relevant papers to identify persons and verify their purpose for being there.
- Refrain from filling in surveys or playing games that require you to log in using a social media account. Many phishing attempts come in these forms, too.
- If you frequent hashtagged conversations (on Twitter, for example), consider not clicking links from those who are sharing, as you have no idea whether the links take you to destinations you want. More importantly, we’re not even sure if those sharing the link are actual people and not bots created to go after the low hanging fruit.
- If you receive a private message on your social network inbox—say on LinkedIn—with a link to a job offer, it’s best to visit the company’s official website and look up open positions there. If you have clicked the link and the site asks you to fill in your details, close the tab.
happy smart ending
When it comes to social engineering, no incident is too small to be neglected. There is no harm in erring on the side of safety.
So, what should you do if someone is behind you carrying a tray of hot coffee and can’t get to her access card? Don’t open the door for her. Instead, you can offer to hold her tray while she takes out and uses her access card. If you still think this is a bad idea, then tell her to wait while you go inside and get security to help her out. Of course, this is assuming that security, HR, and the front desk have already been trained to respond forcefully against someone trying to social engineer their way in.