Five common strategies used by social engineers to ruin your life
Tue 24 Nov 2015
For social engineers, humans are simply machines that can be controlled after you’ve studied them enough. Whether operating covertly or in plain sight, they are hackers of the human brain, intent on accessing your online systems, defrauding you, or retrieving information that you do not want to, or are not supposed to reveal.
Here are the top five common strategies of social engineers to defraud you, trick you, cheat on you or stalk you.
1. Research Their Target
The best way to get information is to have information. The more the attacker already knows about you, your peers, or your organization, the easier it is for them to trick you into giving up more of what they know. This is based on the assumption that if you already know a bit about a project, you probably know everything else about it.
A social engineer keeps an eye out for any references, nick names, and codes that could help them get closer to the target, whether they are after a document, a project or an individual. They will closely follow every mention and post related to what they are after on social media. Every check-in and picture can reveal seemingly unimportant information that by themselves are not compromising. But pieced together, these tidbits can help somebody create the impression that they were present at certain events or have some ties with the target.
Note the difference between the following two questions:
“Where is your chief executive traveling to next and why?”
“You are sponsoring the conference in the big city next month. Will Samuel be there? I can’t wait to hear about his last hiking trips!”
2. Assert Their Authority
Large corporations and government organizations rely on chains of command to efficiently delegate responsibility among thousands of employees across the globe. This, however, leaves those at the lower end of the chain vulnerable to issues ordered illegitimately by an attacker impersonating authority.
To make matters worse, employees might not always be certain who they are responsible to. They might have many superiors who are scattered around the globe and personally unknown or unfamiliar to them. These bosses themselves might have bosses all around, and it’s easy to see how nobody could precisely know to whom they are accountable.
To exploit this, a social engineer would simply assert authority, pressuring the target into acting swiftly and without much resistance. With the right combination of anger and kindness, an urgent-sounding message is sufficient to drive the target to action.
“I can’t access my company email account and am about to give a presentation. You must send the earnings report to my private email now! Sorry to yelling at you. I know it’s not your fault. But I really need those reports!”
3. Exploit Your Kindness
We do not want to be suspicious of other people and are often offended when people are suspicious of us. In most social settings, suspiciousness is met with ridicule. If you voice your suspicions of something or someone, you might be dismissed as a “conspiracy theorist” or associated with psychological issues like paranoid personality disorder.
As a result, we opt for kindness instead of suspicion. If somebody is asking a question, they’re just curious, right? They don’t intend to do harm with your answer, right?
We also repeatedly seek the validation of our peers, especially in a work environment where the climate can be harsh and compliments rare. A bitter and cold office is the perfect place for a social engineer to use compliments and smiles to encourage people to go a bit out of their way to provide helpful answers or documents. This works as well in person as it does online or on the phone.
A social engineer might exploit your pride in a similar way as your kindness, responding to your unwillingness to help them with insults of incompetence or inability. Nobody wants to feel insignificant and little, so you might go out of your way to show your importance by stepping up to fulfil someone else’s wishes. You might even break company policy for that, and consciously too.
4. Play with Your Associations
One day you get a phone call. “Hey Mark, it’s me, Ben! I’m just back from this amazing paragliding tour of the Rocky Mountains!” Maybe you don’t remember who Ben is, but you do have this distant friend who would go paragliding in the mountains, and now your mind is tricking you into thinking Ben is him.
Or you honestly don’t remember Ben, and you feel guilty about that. So you play along until you either forget that you don’t know who is calling or your mind tricks you into thinking that you do.
This not only works with people, but also with places, projects, and information. Social engineers know this and work with it selectively. For example, an attacker might be researching a secret project that they know only little about. They might only have a clue on who is working on it and approach this person with a vague set of sentences. They play with their associations until they arrive at this cautious answer: “Are you talking about the project Mandarin, maybe?”
5. A Treasure Trove of Tactics
Social engineers can choose from a treasure chest of well proven tactics that exploit social interaction to pursue their goals. They can mix them, reinvent them, and apply them at will to maximize their success. Learn how these simple tricks work so you can protect yourself against them.
With pretexting, the well prepared attacker gives the impression that the target is in control of the situation by pretending that security and privacy protections are in place. This also signals to the target that this is not a cold call. For example, the attacker might thank the victim for their time and ask them to verify simple account or identity information. After a trust relationship is established, this can be used to extract additional information from the target, or to have the target perform tasks, such as disabling security systems or installing software.
Diversion tactics are most commonly used in scams and thefts, the attacker gathers as much knowledge about a transfer of valuable data, money, or goods in order to trick the sender into diverting it. The bank account switch scam has become notorious in many parts of this world. A classic example is being tricked into paying your rent into your landlord’s “new” bank account. By the time the landlord asks you about the missing payment, the money is long gone.
Humans are curious and like free stuff, and attackers can use that against us. In a simple version of the baiting trick, infected USB sticks or CDs are left lying around in popular places. Some people might pick them up, plug them in at home, and have their computer infected with malware. In more sophisticated and expensive baiting tricks, you might win a free laptop that comes preinstalled with impossible-to-remove malware. Once you move your data over to the shiny new computer, it’s all gone.
A phishing scam can be untargeted and aimed at millions of users, such as when a mass email asks the recipients to “unlock” their online payments accounts. Instead of directing users to the legitimate website, the victims are tricked into entering their information into a site that belongs to the attackers.
Quid pro quo attacks play on the naivety of users facing trouble with their Internet or computer. How many people would you have to call to get one of these customer service people on the phone? Turns out that a lot of people have trouble with their electronics everyday. And since their Internet service provider isn’t calling them back, maybe an attacker will step in as their knight in shining armor. Eagerly awaiting the phone call, a victim might blindly follow even the most ridiculous instructions that infect their computers with malware or compromise sensitive information.
If you are appropriately dressed, seem to know what you are doing, and smile, you might find you can walk into any kind of situation. Add to this the fact that people tend to hold the door open for the person walking behind them, plus the fact that they might be uncomfortable asking you, a stranger, for identification, you’ll find the door is always open to you. The practice of tailgating people into weddings became the center of the 2005 comedy Wedding Crashers. Simple yet effective for social engineers.
Social Engineering: A Hidden Threat Everywhere
Social engineering is possibly a bigger threat to organizations and individuals than other forms of hacking. To those who carry sensitive information, valuable assets, or see their personal safety at risk, it is important to build security protocols and educate each of the individuals involved about how social engineering works, how it can be damaging, and how you can protect yourself.
In the meantime, it’s probably best not to answer your phone!