We now live in a world where holding the door open for someone balancing a tray of steaming hot coffee—she can’t seem to get her access card out to place it near the reader—is something we need to think twice about. Courtesy isn’t dead, mind you, but in this case, you'd almost wish it were. Because the door opens to a restricted facility. Do you let her in? If she really can't reach her card, the answer is clearly yes. But what if there's something else going on?
Holding the door open for people in need of assistance is considered common courtesy. But when someone assumes the role of a distressed woman to count on your desire to help, your thoughtful gesture suddenly becomes a dangerous one. Now, you've just made it easier for someone to get into a restricted facility they otherwise had no access or right to. So what does that make you? A victim of social engineering.
Social engineering is a term you often hear IT pros and cybersecurity experts use when talking about Internet threats like phishing, scams, and even certain kinds of malware, such as ransomware. But its definition is even more broad. Social engineering is the manipulation or the taking advantage of human qualities to serve an attacker’s purpose.
It is imperative, then, that we protect ourselves from such social engineering tactics the same way we protect our devices from malware. With due diligence, we can make it difficult for social engineers to get what they want.
Before we go into the “how” of things, we’d like to lay out other human emotional and psychological aspects that a social engineer can use to their advantage (and the potential target’s disadvantage). These include emotions such as sympathy, which we already touched on above. Other traits open for vulnerability are as follows:
The majority of us have accidentally clicked a link or two, or opened a suspicious email attachment. And depending on how quickly we were able to mitigate such an act, the damage done could range from minor to severe and life-changing.
Examples of social engineering attacks that take advantage of our carelessness include:
You seem to have received an email supposedly for someone else by accident, and it’s sitting in your inbox right now. Judging from the subject line, it’s a personal email containing photos from the sender’s recent trip to the Bahamas. The photos are in a ZIP-compressed file.
If at this point you start to debate with yourself on whether you should open the attachment or not, even if it wasn’t meant for you, then you may be susceptible to a curiosity-based social engineering attack. And we’ve seen a lot of users get duped by this approach.
Examples of curiosity-based attacks include:
According to Charles E. Lively, Jr. in the paper “Psychological-Based Social Engineering,” attacks that play on fear are usually the most aggressive form of social engineering because it pressures the target to the point of making them feel anxious, stressed, and frightened.
Such attacks make participants willing do anything they’re asked to do, such as send money, intellectual property, or other information to the threat actor, who might be posing as a member of senior management or holding files hostage. Campaigns of this nature typically exaggerate on the importance of the request and use a fictitious deadline. Attackers do this in the hopes that they get what they ask for before the deception is uncovered.
Examples of fear-based attacks include
Whether for convenience, recognition, or reward, desire is a powerful psychological motivation that can affect one’s decision making, regardless of whether you’re seen as an intellectual or not. Blaise Pascal said it best: "The heart has its reasons which the mind knows nothing of." People looking for the love of their lives, more money, or free iPhones are potentially susceptible to this type of attack.
Examples of desire-based attacks include:
This is often coupled with uncertainty. And while doubt can sometimes stop us from doing something we would have regretted, it can also be used by social engineers to blindside us with information that potentially casts something, someone, or an idea in a bad light. In turn, we may end up suspecting who or what we think we know is legit and trusting the social engineer more.
One Internet user shared her experience with two fake AT&T associates who contacted her on the phone after she received an SMS report of changes to her account. She said that the first purported associate was clearly fake, getting defensive and hanging up on her when she questioned if this was a scam. But the second associate gave her pause, as the caller was calm and kind, making her think twice if he was indeed a phony associate or not. Had she given in, she would have been successfully scammed.
Examples of doubt-based attacks include:
When calamities and natural disasters strike, one cannot help but feel the need to extend aid or relief. As most of us cannot possibly hop on a plane or chopper and race to affected areas to volunteer, it’s significantly easier to go online, enter your card details to a website receiving donations, and hit "Enter." Of course, not all of those sites are real. Social engineers exploit the related emotions of empathy and sympathy to grossly funnel funds away from those who are actually in need into their own pockets.
Examples of sympathy-based scams include:
This is probably the human trait most taken advantage of and, no doubt, one of the reasons why we say that cybersecurity education and awareness are not only useful but essential. Suffice to say, all of the social engineering examples we mention in this post rely in part on these two characteristics.
While ignorance is often used to describe someone who is rude or prejudice, in this context it means someone who lacks knowledge or awareness—specifically of the fact that these forms of crime exist on the Internet. Naiveté also highlights users’ lack of understanding of how a certain technology or service works.
On the flip side, social engineers can also use ignorance to their advantage by playing dumb in order to get what they want, which is usually information or favors. This is highly effective, especially when used with flattery and the like.
Other examples of attacks that prey on ignorance include:
If we’re attentive enough to ALT+TAB away from what we’re looking at when someone walks in the room, theoretically we should be attentive enough to “go by-the-book” and check that person’s proof of identity. Sounds simple enough, and it surely is, yet many of us yield to giving people a pass if we think that getting confirmation gets in the way. Social engineers know this, of course, and use it to their advantage.
Examples of complacency-based attacks include:
Sophisticated threat actors behind noteworthy social engineering campaigns such as BEC and phishing use a combination of attacks, targeting two or more emotional and psychological traits and one or more people.
Whether the person you’re dealing with is online, on the phone, or face-to-face, it’s important to be on alert, especially when our level of skepticism hasn’t yet been tuned to detect social engineering attempts.
Thinking of ways to counter social engineering attempts can be a challenge. But many may not realize that using basic cybersecurity hygiene can also be enough to deter social engineering tactics. We’ve touched on some of them in previous posts, but here, we’re adding more to your mental arsenal of prevention tips. Our only request is you use them liberally when they apply to your circumstance.
When it comes to social engineering, no incident is too small to be neglected. There is no harm in erring on the side of safety.
So, what should you do if someone is behind you carrying a tray of hot coffee and can't get to her access card? Don’t open the door for her. Instead, you can offer to hold her tray while she takes out and uses her access card. If you still think this is a bad idea, then tell her to wait while you go inside and get security to help her out. Of course, this is assuming that security, HR, and the front desk have already been trained to respond forcefully against someone trying to social engineer their way in.
The post Social engineering attacks: What makes you susceptible? appeared first on Malwarebytes Labs.