Any security system is only as secure as its weakest link. When it comes to cybersecurity, the technological measures that are available today really keep out all but the most skilled hackers. Which is why the targets have shifted from computer code to the “code” of human psychology.
It’s referred to as “social engineering” and describes a set of techniques that target human elements of cyber-security instead of technology. The goal of a social engineering attack is to fool a person into providing sensitive information or even granting access to secure systems.
The main way social engineering works is by bypassing the usual alarms that would make someone suspicious. The attacker usually impersonates someone that’s already a trusted figure or class of person. Once the target’s defenses are down, it’s basically like Christmas for the attacker.
Let’s look at some tried and tested social engineering methods and how you can stop yourself from being the next target who falls for it.
Piecing Together “Innocent” Information
A core part of social engineering is gathering as much information about an individual or organization as possible. There’s plenty of information out there that a person or company would think nothing of divulging, but taken as a whole, it can be used to build the foundation of several other techniques.
For example, some companies and indeed most people don’t shred or destroy documents before throwing them away. They also don’t lock up their trash, which means attackers can sift through their junk in order to find information that can be used in an actionable way.
Social media is also a treasure trove of public information that a smart engineer can piece together into to something that will help them infiltrate or fool their target.
Spear Phishing with a Hacked Email and other Impersonation
There’s a reason it’s a serious crime to, for example, impersonating a police officer. Certain stereotypes are needed for society to function properly. Even though you may never have met a particular policeman, their badge and uniform mean you can make certain assumptions about them, such as that they’ll help you if in trouble. If the public loses trust in the police thanks to violations of expectation social disorder happens. Which is why the crime of impersonation is usually punished harshly.
Impersonation is a social engineer’s best friend. They’ll do it both electronically and in person. Often they’ll use information gathered to figure out what legitimate people who belong at a place should look like. Things like name badges, titles, and departments. The social engineer can provide plausible explanations for their presence that will get past at least casual levels of suspicion
Stolen or counterfeit uniforms and badges might work. Posing as a delivery person (based on the fact that a specific employee gets lots of deliveries) or someone bringing food can get you into places.
A less audacious method is to hack the email of someone your target knows and trusts. Then engage them with the aim of getting certain information or actions out of them. Hacking or spoofing the email address of an authority figure (such as the CFO) can also yield quick compliance. There are many recorded incidents where employees who make payments sent money to an attacker’s account. Just because they believed in executive asked them too and did not want to ask any questions.
Removing Suspicion with Familiarity
The human mind is on the lookout for threats all the time. One of the main ways it does this is by looking for things that don’t fit. The more used to or familiar we become with something, the less likely it is to ever raise warning flags.
Simply acting in a way that people expect can get you a pass and showing your face regularly will basically vaccinate people against being suspicious of you. If you show up every day on legitimate business or with a low-risk story that justifies your presence, then eventually staff won’t look twice at you. At the point where people think they know who you are, even as an outsider, you can start to stick your nose into places no one would let you on day one.
Becoming Invisible Through Hostility and Discomfort
There is a whole range of social situations where people in groups will do their best to ignore or avoid an individual. One common example is to walk through an area where you aren’t meant to be while “arguing” with someone over the phone. People don’t really want to be near drama in general, so it can help the social engineer move through spaces where people ignore them on purpose.
The idea is not to aim your hostility at your target, but to make yourself a little embarrassing to deal with. That can get a lot done.
Become an Insider
If the target is really worth it then some social engineers will go as far as actually becoming an employee or befriending a target with the long-term goal of getting access to information they have or can get.
This is the main reason agencies such as the CIA and FBI have such strict background checks and vetting procedures. For the rest of the world, it’s not that simple to prevent your own “Hail Hydra” moment.
Persuasion and Body Language Expertise
Social engineers tend to be very knowledgeable about psychological domains such as persuasion theory and body language. For example, Robert Cialdini’s six principles of persuasion are a good place to start.
Being good at interpreting body language and facial expressions also allow the social engineer to read what you’re thinking and feeling. This allows them to change their approach so that it has a higher chance of success.
A Social Engineering Vaccination
So what can you do to reduce the chances that a social engineer will target you as the weak link in the security chain?
There are a few principles to follow:
- Stop and think. If someone is pressuring you or doing their best to make things seem urgent, it’s possible they don’t want you to engage in critical thinking.
- Get third-party verification. If you get an email from your boss asking you to do something unusual such as making a payment, get on the phone with them or otherwise get confirmation that it’s really a legit request.
- Treat unsolicited communication with high levels of suspicion.
- Confirm that people belong to the organizations they say (e.g., cable company, delivery company, etc)
- Destroy even seemingly trivial information before you throw it away. Use document shredders and use military-grade methods to erase hard drives.
- Never click on a link provided in an email unless you were expecting it for a password reset.
- Make sure that your physical computer is secured against people wandering by.
- Use a VPN such as ExpressVPN to prevent those who gain access to Ethernet or WiFi from intercepting your communications.
Social engineers are constantly evolving their art. But with the right mindset, it becomes harder for them to BS their way through security. Like a hot knife through butter. Whether you want to practice it or defend against it, the learning never stops.