Did you know that 29% of all data breaches* reply upon social tactics such as email campaigns, phone-based attacks, and social media sites to gain information on specific targets of opportunity? The SANS Institute, a private company specializing in Internet security, defines social engineering as:
“…[The] process of deceiving people into giving confidential, private or privileged information or access to a hacker.”
In a white paper entitled “A Multi-Level Defense Against Social Engineering,” SANS describes the top 7 psychological triggers most often employed.
Psychological Trigger #1: The Strong Affect
An attacker attempts to induce a heightened state of emotions that compromise’s the victim’s ability to use logic or to employ a counter argument. The emotion can be positive or negative such as anger, surprise, or elation. The goal is to disengage the victim from their reasoning or skepticism.
Psychological Trigger #2: Overloading
When information comes too rapidly the human mind experiences overload. The mind goes into a passive mode and the victim will tend to accept the information since they can no longer scrutinize or process it.
Psychological Trigger #3: Reciprocation
Our human nature dispositions us to desire to repay a favor or to feel indebted when something of value is promised or offered.
Psychological Trigger #4: Deceptive Relationships
Social engineering (or any con job for that matter) relies on relationships. Building a relationship on perceived common ground can be achieved by appealing to common interests or goals. After the relationship has grown, an attacker can gain all kinds of information.
Psychological Trigger #5: Diffusion of Responsibility and Moral Duty
In this technique, targets are made to feel that they cannot be held responsible for their actions. They can be further compromised when they are made to feel that any actions they take will be for the greater good.
Psychological Trigger #6: Authority
We are conditioned to respond with compliance to authority. Attackers who have established perceived authority are often not questioned by their victims. Once perceived authority is established, verification of legitimacy is rarely challenged.
Psychological Trigger #7: Integrity and Consistency
People often approach others from the perspective of their own honesty and consistency. There is a natural tendency to measure others with what we know and expect from ourselves. In these cases one will tend to believe statements or actions as true.
How to Spot a Social Engineering Attack
You must be willing to question and withhold information when things seem suspicious or don’t add up. Often the simple act of pausing to think before you act can make all the difference. Signs of a potential social engineering attack include:
- Any interactions requiring immediate action or creating a sense of urgency. This is a common technique to rush people into making poor choices.
- A refusal by a caller to give contact information or additional information to verify identity.
- Rushing a call, name-dropping, odd questions or requests, or intimidation. In these instances it can often be helpful to put the call on hold in order to process what is being said. The added time to assimilate the information may be just enough to counter a potential attack.
- Misspellings in written or email correspondence as well as embedded hyperlinks that could be malicious. Remember that just because you got an email from someone you know does not mean they sent it. Email addresses can be spoofed, or their computer may be infected with malware.
Social engineering continues to be effective because it relies on how the human mind works. However, if you’re aware of and understand the psychological triggers, and set up defenses for them, you can help protect your business and your customers.
* Verizon’s 2013 Data Breach Investigations Report