Why do we fall for social engineering attacks?
Over recent months, I’ve posted several articles on different types of social engineering attacks, including phishing (including how you can report phishing emails), vishing, baiting, water-holing, pretexting, diversion theft, honey traps, quid pro quo and tailgating.
Now that we know what these are, I’m going to look at why people are vulnerable to social engineering attacks. First off we have to recognise that the biggest factor in a successful socially engineered attack is human error. We click on links that take us to phishing or malware sites. We supply information that can be useful to create spear-phishing and whaling attacks and we generally don’t recognise when we’re being targeted. It’s all about psychology.
From an early age, we are taught to respect authority so when someone who is an authority figure (an expert in an area) or in a position of authority (teacher, policeman, doctor, etc.) contacts us, we are predisposed to comply with their requests. But are they really who they say they are?
I saw an episode of Wallander where someone from the police phoned the HR department in a company and asked for some information about an employee to be sent to them. The HR person complied because the person said they were from the police. OK, this is fictional and this was probably done to not interrupt the story, but it is exactly how a mal-actor works. He could pretend to be someone from your outsourced IT or finance department asking you to do something or provide some information that would be perfectly normal for those departments to ask for. But are they who they say they are?
We tend to comply with a request when we like that person. A mal-actor will spend time building that “liking” with you. Perhaps they discuss things that you are interested in or are your hobby. He will even learn about your sports team or stamp collecting to appear knowledgeable.
We don’t like to feel that we owe someone something., so the mal-actor gives us something of value – it may be money, a gift or some information. Then, later, he asks us for something in return. Because he’s already given us something of value, we feel an obligation to reciprocate.
Commitment and consistency
This attack is usually linked to some form of public commitment that we’ve made. This doesn’t have to be something we’ve stood up and sat before a crowd of people, it could be a contract we’ve signed (like a contract of employment). The mal-actor reminds us of that commitment and then asks us to do something to prove that commitment. For example, we may have agreed with an employer or a client to use strong, secure passwords. He may ask us to prove that by disclosing that password – ignoring that part of the agreement is to not disclose your password to anyone!
Here it appears as though other people that we know have done the same thing. One of the commonest are the “quizzes” or “when did you…” questions on Facebook. For example, we see something that says “When was the first time you went faster than 100mph?” or “Name something that you hate that everybody else likes?”. Then you see some of your friends have answered. By answering these we are giving away information about ourselves that could possibly be used later in a social engineering attack.
Scarcity is a tactic beloved not only by social engineers, but also marketers. It often comes as a special offer available only for a short time to a limited number of people. Sometimes you have to register to get the gift or offer. You have to create an account with a username and password. Here the mal-actor is hoping that we reuse a password from another site.
This is often associated with reciprocation, however, in this case, the concession is dependent on us providing something at the same time, a “something for something” (quid pro quo) or “I’ll scratch your back, if you scratch mine”.
In addition to these psychological reasons, there can also be practical reasons why people fall for socially engineered attacks. It may be that organisations don’t have policies to help prevent attacks, or if they do, they are poorly understood or enforced.
How can we prevent social engineering attacks? That’s a subject for another blog post!
Do you want to learn more?
Network Midlands runs seminars to help you detect and defeat social engineering attacks. Find out more at “The Art of Deception“.