Technological advances and the Internet have profoundly impacted human civilization. Specifically, during the pandemic, it has helped the organization to keep running the business without going to the workplace, during lockdown it helped common people to virtually stay connected to each other from one corner of the world to another. During this time the evil intention people are taking advantage of the situation to cripple the businesses by launching cyber-attacks.
Since the start of the Coronavirus COVID-19 pandemic, World Health Organisation (WHO) has seen a dramatic increase in the number of cyber-attacks directed at its staff, and email scams targeting the public at large
Many real attacks on information systems exploit psychology more than technology. Hackers are exploiting our state of mind, while we were adjusting to working and schooling from home and all the technological changes that come with it. The hackers are choosing psychological manipulation, Social engineering as a tools of choice to exploit the current situation. It is not only about the vulnerabilities in-home network but attackers are going a step forward to manipulate system administrators to get into the organization. The best example is the Twitter verified account compromise. The attacker used a social engineering attack on 15th July 2020.
This attack and the number of attacks that are increased during the pandemic once again proved that humans are the weakest link in the cybersecurity chain.
In this article, we will explain what is social engineering and what the psychological elements these hackers exploit while conducting these attacks.
What is Social Engineering?
As per Wikipedia “In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
It has also been defined as “any act that influences a person to take any action that may or may not be in their best interests.
Social engineering is using deception, manipulation, and influence to convince a human who has access to a computer system to do something, like click on an attachment in an e-mail. – Kevin Mitnick
Social engineering attacks happen in multiple steps. The attacker first identifies the victim by gathering background information, such as potential points of entry and weak security protocols, this provides inputs to plan the attack. The second step is gaining the trust of the identified victims and provoke subsequent actions that will break security practices, such as revealing sensitive information or granting access to critical resources.
Social Engineering Attack Types and Techniques:
Following are the attack types and techniques used by the hacker:
- Phishing – In this type of attack, the attackers are targeting a larger number of users using forged email messages or web pages that appear to be legitimate such as those of the employer, but which in reality are controlled by the attacker. These email messages and pages are often aimed at collecting employee data (for example, passwords).
- Spear Phishing – This is very similar to the Phishing attack the difference is it is targeted for specific users and hence e-mails are crafted as per the victims identified profile
- Whaling – This Spear Phishing targeted for the high profile users in the organization like CEO, CFO, etc
- Vishing – This is voice phishing, in which individuals are tricked into revealing critical financial or personal information to unauthorized entities.
- Smishing – This is SMS phishing – the user is tricked into downloading a Trojan horse, virus, or other malware onto his cellular phone or other mobile devices.
- Pretexting – In this attack the hacker starts by establishing trust with the victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The hacker asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.
- Scareware – This is a form of malware that uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware, and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually, the virus is fictional and the software is non-functional or malware itself.
- There are other types of social engineering which need physical presence near the victim example tailgating, shoulder surfing, or dumpster diving.
The Psychological aspect of Social Engineering
The designers of social engineering attacks study human psychology and behavior and take advantage of this knowledge to execute attacks successfully. Psychologists have studied a range of topics about human behavior and these findings must be applied to the cyber world to effectively keep people and their data secure.
As a human being we get affected by negative emotions caused by urgency, stress and fears and this becomes the weakest link into the cybersecurity chain. Social engineering attacks are based on how people respond, react certain type of stimuli e.g.
- when pushed with urgency to take action, Sense of urgency
- when they are stressed,
- the request from the higher authorities/management / C level executive, helping to resolve the issue which is abreacting the work
- Generally good news or bad news
- Delicate or confidential matter
- Impersonating known sender
During the day we make hunderes of desions and we surprsingly think about very few of them. The social engineers take the advantage of psychology and shortcut of decision making to their advantage. They use folowing persuation techniques which make help us to make dicision without much thinking :
- Reciprocity – People don’t like to feel indebted to others. When we’re the recipient of a favor, we tend to try and repay it. At the start of the pandemic, there has been a sharp increase in hacking and phishing activity. The attack types are Donation scams – Dramatic headlines often evoke compassionate responses, spurring activities such as making charitable donations to organizations focused on alleviating suffering.
- Scarcity – People are more likely to want things that they believe are in limited supply, are exclusive, or that are not always available. These are generally phishing-mails with a special limited-time discount offers
- Authority – People don’t like being uncertain. We naturally look for and follow authority figures. The problem is that we have a broad definition of what constitutes an authority figure. Uniforms, for example. Attackers take advantage of it example some with police officer uniform can stop your car and ask for the driving license and other details
- Liking – We listen to people who we like and we like people who compliment us. Unknow people with malicious intention can compliment you and ask for inputs to some survey and gather personal information
How can we improve Social Engineering Awareness ?
- To deal with social engineering problems we need to keep in mind, the secure system is the one which behaves in a predictable and rational way. However it is demonstrated by psychological research, human behavior and decision-making processes are multifaceted and often unpredictable.
- To improve the cybersecurity posture of the organization we need to acknowledge that cybersecurity is a complex socio-technical system. Apart from standard security awareness training, we need to further investigate the human state of mind and human behavior to improve cybersecurity.
- The human psychology treats explained in earlier paragraphs and by considering the cultural contexts, maliciousness, personality, and other such features of human behavior, there are avenues to explore the intersection between cybersecurity and behavior and introduce those in cybersecurity awareness training.
- Understanding decision making, vigilance, and sheer convenience which undoubtedly play a role in security are essential features to understanding how to keep ourselves safe in an increasingly cyber world
- Tapping into the psychology of fear may also help the victims understand what they are experiencing and how to cope with the infringement.
Conclusion
At its core, social engineering is the building and leveraging of influence in order to persuade others to act as you want them to. Or put another way, to get someone to make a decision that benefits you. we make a phenomenal number of decisions each day and we think about surprisingly few of them, let alone analyze them.
Technical measures can stop some phishing tactics, but stopping users from making bad decisions is much harder and for this reason, we need to include the behavioral and psychological understanding of human nature and help employees to understand their emotional state and respond to the situation rather than reacting to it.