Social engineering is an emotional game: here's what you need to know
Social engineering is an emotional game, so it's crucial to understand how criminals manipulate your feelings.
No matter how much security technology we purchase, we still face a fundamental security problem: people. Cybercriminals, as well as pickpockets, magicians, con artists, and spies, are masters of manipulating our emotions.
Javvad Malik, KnowBe4 Security Awareness Advocate, shared his insights and examples of mental manipulation in everyday life during the Black Hat Europe conference.
All warfare, including cyberwarfare, is based on deception, and our perceptions even of scientific facts, such as the weather temperature, vary.
"Our perceptions, our bodies, and our brains don't really care what science thinks in those matters," he said, pointing out an example of how reporters deliver weather reports saying not only what the temperature is but also how it feels like.
Criminals manipulate our perceptions and feelings to trick us into doing something for their benefit. They are trying to disturb our thinking process - the OODA loop. OODA is a model for decision-making and stands for observe, orient, decide, and act.
"This is a rational process through which most people will come to a decision. The objective of a criminal is to get inside the OODA loop. If you can get inside it and disrupt it, you can get people to take action without going through the thought process. And that's where they all make mistakes. This is how a lot of criminals work," Malik explained.
When scammers call you or send you an email, they always want you to take immediate action. You will not hear them say, 'reply whenever it's convenient to you' or 'at your earliest convenience.'
"It's always 'we are going to shut off your iCloud account within the next two hours unless you buy some gift cards and tell us what the serial numbers are immediately.' People panic, they don't want to lose access to their iCloud and have all their data deleted, so it's about messing with that thought process. If they can get into that, that's where they will be successful," he said.
Probably the best advice here is to step back and take a moment to think so that you can make an informed decision. As Malik pointed out, you can still make a mistake, but at least it will be an 'informed mistake."
That is why business email compromise (BEC), or CEO fraud, is usually highly successful. According to Malik, CEO fraud costs companies every year more than ransomware. Ransomware gets the spotlight because it is disruptive, but BEC costs far more.
"One of the reasons it is so effective is because there's no payload within it. It's just a straightforward email. And no end-point detection will find anything," he said.
We are used to scammers impersonating C-Suite executives, meaning they are pretending to be your boss. However, recent Avanan research claims that threat actors have switched up tactics. 29,4% of malicious emails are impersonating an executive, and 51,9% of all impersonation emails attempt to mimic a non-executive in the organization. Non-executives are targeted 77% more often, and there are a few reasons behind this.
"One, security admins might be spending a lot of time providing extra attention to the C-Suite, and hackers have adjusted. Two, non-executives still hold sensitive information and have access to financial data. There is no need to go all the way up the food chain," Avanan claims.
Criminals also trick us by using clickbait. Malik believes that even the smartest of us fall for it sometimes.
"It's more science than you think. I see this picture "You won't believe what they caught cashiers doing in the supermarket, watch closely." And I know this is clickbait, there's no news behind it, but I still get tempted to click on it and see exactly what it is. We fall for this kind of stuff all the time. We like to think that we are cleverer than that, but we all fall for it," he explained.
Unfortunately, clickbait is also used by some media and writers to increase their readership and engagement. Even though the motive is less nefarious, we get used to clickbait and don't register them as scams.
Cybercriminals are also creating a false choice architecture.
"Scammers will phone up and say, 'ok, I'm from the tax office, you overdue three thousand pounds.’ And there's an open investigation against you, so you can either pay the money now, or you can wait, and the police will be on their way to your house within the hour. It's a choice - either pay the money or get arrested. And so that builds the framework within the victim's mind that oh, that's the only option I have, I'd better do something. And nobody wants to get arrested," he said.
There are many examples of false choice architecture around us. For example, when you ask a waiter in the restaurant for a glass of water, they will offer you still or sparkling, at which point it will become a little bit more difficult to say that you wanted tap water.
"Similarly, an extensive and long wine list. And it's not just the wine list that they place on the table. When you enter, there are already wine glasses on the table. That's a signal for you beforehand to say that this is the type of establishment that expects you to drink wine. If not, then maybe you are in the wrong place," he said.
Another manipulation tactic is the social pressure that people put on others — just saying or showing that someone else or other people are doing something is often enough to persuade someone to do something.
"Again, I'm sticking with restaurants because I think they are master social engineers. If you have a large group at one table, and the table next to you only has two people on it, what restaurants may do is offer the couple their best dessert for free. What will happen? A big group of them will look over and say, 'what are they having? I will have some of that.' And so they just made a sale. This is something criminals use all the time," Malik said.
According to him, it is crucial to understand how we are being manipulated as this is an emotional game. Criminals might appeal to your greed, your helpfulness, or fear.
"That's why whenever there's an incident in the world, say, there's an earthquake somewhere, and there's a tragedy, there will be so many of these scam websites, saying, 'make a donation, save these people," he said.
Therefore, every organization must understand where its employees are distracted.
"Email, text messages, social media, anything that is a direct avenue to your employees is the most dangerous attack vector today, and many reports are backing that up. Having your controls at these points, raising awareness is absolutely critical," he concluded.
More from CyberNews:
Subscribe to our newsletter