In data security the weakest link is all too often a human being. Despite security measures such as firewalls, passwords and even security staff trained to keep intruders out, it is sometimes childishly simple to get access to confidential information by using manipulation techniques to influence people. Human behavior and the protection of confidential information are closely linked. Without intending to do so, someone who is inattentive can open the digital doors to hackers and give them access to confidential information, allowing them to commit identity fraud and more. People are continuously being manipulated, influenced and misled. Not only by advertisers, call center agents, online shopping sites and car dealers, but also by colleagues, friends and cybercriminals who want something from them. More and more frequently, we see cybercriminals taking advantage of human weaknesses in a variety of ways.
The psychology behind social engineering
Extensive research into human behavior is nothing new. So how can human behavior be explained? How does it happen that people fall massively for phishing mails and that so many of us are seemingly happy to give social engineers access to our confidential information? Well known behavior researcher Robert Cialdini states that there are six universal principles of influence that determine human behavior. Social engineering makes use of these principles to manipulate their potential victim and prompt certain behavior. The six principles of influence are:
- Reciprocity. The urge to give something in return for what other people have given us. Someone who feels they owe something to someone else will give in much more easily when asked to return the favor.
- Commitment and consistency. The urge to act in keeping with what we have done or said before. If we’ve previously expressed an opinion or made a choice, we are inclined in future situations to make a similar choice.
- Social proof. Our judgement of correct or incorrect behavior is related to other people’s behavior. When people do something in the same way as ourselves, or it’s something we’ve seen before, we’re more likely to label it as correct.
- Sympathy. It feels unfriendly not to comply with an urgent request, and we’re more likely to say yes if it comes from someone we like, feel attracted to, who flatters us, or who shares (purportedly) similar interests. In these cases, when pressure is applied, refusing becomes difficult.
- Authority. Since birth we’ve been taught that it is right to obey proper authorities and respect the power they have. Would you mistrust a fireman coming to check smoke detectors?
- Scarcity. We attach more value to certain things if we believe there is a shortage of them. When there is only one article left in stock, we are inclined to grab the opportunity before it is too late. If there is a risk of losing something, we tend to resist strongly (acquisitiveness).
Besides these six principles, the time that someone is given to make the right behavioral decision also plays an important role in influencing the outcome. In a social engineering attack, the victim is often persuaded to act very quickly. Phishing mails, for example, often threaten to block bank cards and accounts if the recipient does not react within 24 hours. The victim is prompted to quickly log in to a seemingly legitimate online portal that has, in fact, been simulated by the hacker to look like the bank’s site. The victim will base their choice on the limited information that is given at that moment, and if the above-mentioned principles are successfully applied, the time pressure will cause the victim to trust the content. As an example, the amount of trust is increased when the phishing mail contains personal information on the victim, such as their full name and address, or bank account number.
In addition to trust and acquisitiveness, it appears that people are above all curious. People are eager to get what they don’t have already and especially want to avoid losing what they have. In other words, when someone really wants something, they will put negative or mistrustful feelings aside. The number of cases increases considerably when random users are called from “faraway” countries and the call is terminated the moment they answer. Curiosity will prompt the victim to call back and get through to an expensive pay service (a kind of surcharged number) resulting in a high telephone bill.
Whereas social engineering in the past was only used to enter physical premises, over the years different technical resources have been developed that enable cybercriminals to launch their attacks on a large scale through digital channels:
- Phishing by email and telephone: According to the Cyber Security Assessment Netherlands 2015 (an annual report published by the National Cyber Security Center) phishing was one of the most powerful and frequently used cyber attack methods in 2015. Phishing is the collective term for digital activities that aim to pilfer personal information (like logins) from people. Principles of influence used: authority, scarcity, trust.
- USB drop: Cybercriminals increasingly make use of USB flash drives containing harmful software. These might be “dropped” into the victim’s suitcase after a train journey, left lying somewhere, or handed out as a free gift. If the person who finds the flash drive puts it in their computer, it is already too late: the hacker has entered. Weaknesses exploited: curiosity and acquisitiveness.
- Rogue Wi-Fi access point: By imitating Wi-Fi hotspots that the user knows and trusts (most public hotspots), smartphones easily make contact with internet access points that are controlled by the hacker. The hacker can then eavesdrop and manipulate the victim’s internet behavior. Weaknesses exploited: trust and consistency.
- Combination of attack techniques: The method can further be refined: a phishing mail is often announced by a caller who asks a number of targeted questions on topics that interest someone in a professional or personal capacity. Following the conversation, the caller will send an email containing a link on which the person can click, with all the consequences thereof. Ransomware and malware are also often attached to phishing mails, which means that the recipient does not even need to click on a link: merely opening the attachment is enough.
Don’t be a victim, arm yourself!
The question then arises of whether people can sufficiently protect themselves against cybercriminals who use human manipulation. While we are inclined to say that cybercriminals will always find a way if they really want to, it is still very important to take a number of measures and reduce the risk of being harmed by social engineering.
- Companies and authorities can make people aware of the threat as a preventative measure to ward off damage. In the Netherlands, for example we have seen campaigns run by Veilig Internet (Safe Internet) and a well-known commercial advising people to ‘hang up, click to close, call your bank’.
- Use two-factor authentication or login confirmation to access things like Gmail, Hotmail and social media accounts. If cybercriminals have your password, they still cannot log in without the second factor (e.g. SMS code, fingerprint, token, or TAN code) or your direct authorization (login confirmation).
- Refuse the “automatic connection” option on public Wi-Fi networks so that you cannot connect to a rogue Wi-Fi access point.
- Social engineering assessment: in a social engineering assessment, a trained social engineer will attempt to enter an organization and try to access the “crown jewels”. It’s a good way to assess the vulnerability of physical protection measures and at the same time raise awareness.
- Phishing audit: the most powerful way to make an organization resilient to phishing is by “learning through experience”. Many organizations do periodic phishing audits, which are a way to measure and immediately increase employees’ security awareness, by carrying out a controlled phishing attack and analyzing the response. When organizing and carrying out a phishing audit, various legal, ethical and technical aspects must be taken into account, thus it is advisable to ask a cybersecurity expert to support you.
- An advanced cyber drill as the ultimate test: a combination of phishing, hacking, USB drop and rogue Wi-Fi access. During a simulated attack the employees concerned are tested and trained on their vulnerability.
- Technical measures: email authentication with the use of SPF, DKIM and DMARC, and making authentication emails recognizable before sending them to a wide audience. It is also advisable where possible to use two-factor authentication to keep the risk of unauthorized access down to a minimum. This is extremely important where systems are accessible via the ‘open’ internet.
For the authorities:
Keep investing in awareness campaigns that continue to draw people’s attention in different ways.
It remains childishly simple to access confidential information by means of human manipulation. Cybercriminals increasingly make use of this, while technology developments now enable them to apply social engineering on a large scale. To avoid being a victim of social engineering, citizens and employees, as well as authorities and businesses, must take appropriate measures to protect their confidential data. Training and increasing awareness are a first step in the right direction.
About the authors
Guido Voorendt is a cybersecurity consultant at Capgemini. He is active in the field of public security and law and order, and specializes in Social Engineering, Privacy and Identity and Access Management.