IT security teams need to educate employees about the psychological techniques cybercriminals often use in social engineering attacks.
You are walking down the street and notice a person looking skyward--odds are you will keep going. The next day, you are out walking the dog and spot four people looking upward. More than likely, you will stop and look up. Why? Find out by reading this excerpt from The Wisdom of Crowds.
Next example: You are traveling. The first night you spot the little folded card in the bathroom asking you to please reuse the towels--it helps save the environment. Maybe you heed the note, or perhaps you don't.
A few days later, you are in a different state and new hotel. Walking into the bathroom, you see a similar small, folded card. This one reads a bit differently: "Please join the countless others who are helping save our environment by reusing towels." Why are you more apt to reuse towels after reading this sign? This NPR article explains.
These are two examples of how psychology can be used to influence humans. Remember the "please reuse towel cards?" Changing to the second version resulted in a 26% increase in guest participation.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
The subtleties of online interactions
This type of automated response is not lost upon cybercriminals, nor on Chris Poulin, who was a strategist at IBM's X-Force, when he wrote his IBM Security Intelligence commentary 6 Psychological Elements Behind Sophisticated Cyber Attacks, which looks at how cybercriminals leverage human traits to improve their odds of a successful attack.
Poulin believes we cannot interpret the subtleties of online interactions in the same way we analyze non-verbal communication, such as body language and micro-expressions, and how we respond to cultural and paralinguistic elements.
"Despite these critical nuances in communications, we grant trust to online personalities we've never met--and who may be deceased or completely fictitious," writes Poulin. "Users ignore their better judgment in favor of building a large network, with the status that comes with it, and the promise of gaining access to opportunities that are clearly too good to be true."
The six principles of persuasion
Trust, according to Poulin, allows others to influence us. The interesting piece is that the reverse is also true: Skillful influencing can elicit trust.
Poulin next refers to Robert Cialdini and his best-selling book, Influence: The Psychology of Persuasion, in which Cialdini digs deeper into the various elements that allow people, including cybercriminals, to influence others.
Reciprocity: We all know this one. Someone gives us a gift, and we feel obligated to give back to that person.
Cialdini offers an interesting example: Waiters and waitresses typically leave a small gift with the bill--maybe a mint or fortune cookie. The small gift makes a difference. Diners who were given a mint at the end of their meal typically increased tips by around 3%. What's even more impressive? If the waitperson provides one mint, starts to walk away from the table, pauses, turns back, and offers each person another mint while saying how nice it was to wait on them, "tips go through the roof," writes Cialdini. In that scenario, according to Cialdini, tips see "a 23% increase, influenced not by what was given, but how it was given. So, the key to using the principle of reciprocity is to be the first to give and to ensure that what you give is personalized and unexpected."
This tactic is often used by social engineers attempting to make a connection with their victims by first offering information or a gift.
Scarcity: We all know this ploy. If we cannot have it, we want it all the more. "Con men have known about this psychological ploy for ages...and we still fall for many of the same scams after centuries of victimization," comments Poulin. "It hasn't gotten any better online, either."
Authority: People tend to follow the lead of credible experts. Many cybercriminals understand that it's important to make clear they are credible, knowledgeable authorities to their victims before trying to influence them.
Poulin says this scam is used extensively in social engineering. He also suggests caution if someone else's authority is being invoked, adding that it will likely be difficult to contact that person for obvious reasons.
Consistency: People like to be consistent with the things they have previously said or done. Cialdini cites an interesting study where researchers found very few people who would be willing to erect an unsightly wooden board in their yard to support a "Drive Safely" campaign.
Only a few blocks away, however, the homeowners were more than willing. The difference? Cialdini explained that 10 days earlier these homeowners had agreed to place a small postcard in the front window of their homes, signaling their support for the "Drive Safely" campaign, and that made all the difference.
When it comes to social engineering, Poulin writes, "Once a contact is committed to a connection; they are hard pressed to Unfriend or otherwise break that link and will continue to interact and assist that person."
Liking: Science tells us there are three essential factors to liking:
- We like people who are similar to us.
- We like people who pay us compliments.
- We like people who cooperate with us towards mutual goals.
"People tend to form trust with those they're attracted to, both physically and emotionally," suggests Poulin. This is a simple principle that works well and has potent implications that cybercriminals are more than willing to exploit.
Consensus: The above mentioned example of reusing towels is consensus in action--in particular, the use of "countless others." Cybercriminals also understand the first few connections are the most important; once they are in hand, others in similar positions or organizations are more likely to follow suit.
Educate users about social engineering tactics
Cialdini's six principles of persuasion are simple, yet effective. Cybercriminals who employ them have a considerable advantage when it comes to persuading their victims to take the bait or offer up information they normally wouldn't.
Poulin agrees that attacks using any of the above principles are effective, adding, "I predict they haven't topped out yet in terms of sophistication; there's plenty of room for improvement using the six principles."
Now that you know the common psychological techniques used in social engineering attacks you can share this information with users and make sure your IT team is alert and ready to defend against such attacks. For more information, read the following TechRepublic resources.
- Here's what happens during a social engineering cyber-attack
- How to defend your organization against social engineering attacks
- Social engineering: How psychology and employees can be part of the solution
- How an IBM social engineer hacked two CBS reporters--and then revealed the tricks behind her phishing and spoofing attacks (free PDF)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Security Awareness and Training policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)