Social engineering is nothing new. Way before computers entered our lives, human beings were being scammed using psychological tricks. Back in 1947, a book entitled “Illustrated Circular of Confidence Tricksters and Expert Criminals” was published. This book was a “Who’s who of international swindlers”. Fast forward to 2021, and international crime gangs take a more digital approach to swindling folks out of money, data, and corporate login credentials. Although there may be decades, even centuries, between fraudster scam campaigns, they all have one thing in common; fraudsters of old and new use social engineering to get what they want.
Social Engineering: Tricks of the Phishing Trade
It only takes a single click to potentially end up with an infected device. This infection can spread like wildfire across the corporate network and any connected devices. The infection could end up costing a company vast sums of money in downtime, lost data, and damaged reputation.
The single click experience is what both marketers and cybercriminals aspire to. By creating a situation where people don’t need to think too much before acting, you can more successfully capture an audience.
Marketers want to elicit an emotional response to a marketing campaign, engaging the individual with a product to the point where they click for more information or, even better, click to buy.
Cybercriminals, too, want to get that ‘knee-jerk response’, so they use similar tactics to get the human to click.
Digital criminals have advantages over their non-digital scammer equivalent. The reach, for example, is wider, with a ‘spray and pay’ approach by cybercriminals who use mass phishing campaigns to reach millions of targets. Or fraudsters can get personal and use targeted spear-phishing that focuses on an individual.
Phishing attacks are built around human behaviour – what makes us tick, makes us click. Much of this comes down to the silent training we have all had in using the internet. Web and app designers are focused on creating the ‘seamless UX’, i.e., an easy user experience that is based on a seamless technology-human interaction. The result is that we are all used to following certain patterns of behaviour in the digital realm. It is these patterns that cybercriminals use to trick us into the click action.
Spotting the Signs of Social Engineering
The techniques used by cybercriminals to trick the human brain into acting on a trigger, are typical of how we normally develop human relationships:
Trust: Using a well-known brand as the basis for a phishing email allows the scammer to use trust to hack a human. Popular brands for mass target phishing campaigns include Office 365, Facebook, Google, and eBay. However, more targeted campaigns may pick a brand more closely aligned to a company, for example, a specific web app or vendor portal. These campaigns can make phishing emails even more difficult to detect and add an extra element of trust into the attack if the spoofed brand is closely connected and highly recognisable to the target. Even security vendors can be the victim of brand spoofing in phishing campaigns: Check Point Software, a trusted security vendor, had their brand used on a phishing website.
Curiosity and urgency: These are typical elements of a phishing campaign. Fraudsters trick users into doing their bidding by making them feel they are dealing with a trusted entity and the task is urgent. An example of this is an Office 365 phishing campaign from 2020. Researchers identified a campaign that began with an employee receiving an email showing a “missed voice message”. Users were prompted to click on a button to go to their Office 365 account to access the missed message. The message also showed a “Message from Trusted server” notification at the top of the email, to build on the ‘trust’ element. If the user clicked the button and entered credentials into the spoof Office 365 site, those credentials would be stolen.
The persuasive voice: Persuasion plays a major part in phishing success. According to research into marketing by Cialdini there are six basic principles used to influence customer behaviour. These principles, alongside similar research into persuasion and influence, were used by a research team looking at how social engineering works in phishing. The researchers came up with five key elements of highly persuasive, and therefore successful, phishing campaigns:
- Authority: Use of an authoritative name, e.g., a company CEO
- Social proof: Build a campaign that uses peer pressure to encourage behaviour
- Liking, similarity, deception: Successful persuasion works when people or subject matters are familiar
- Commitment, Reciprocation & Consistency: People like to be consistent and like to believe what others say and do: repaying a favour, for example
- Distraction: By creating a sense of urgency, e.g., an item will be more expensive if you don’t act now, a scammer can distract a person from the signs of a scam.
The Emotions of Social Engineering
Emotional responses are those that are deeply ingrained in us all. The use of persuasion and emotional manipulation in phishing campaigns was explored in a 2018 study published by the American Psychological Society. The researchers looked at “emotional arousal as a fraud tactic”. The study found that people of all ages responded to both positive and negative persuasion messages and made poor decisions when responding. The study states that “emotional arousal can influence susceptibility to misleading information and that this effect occurs in both older and younger adults.” This behaviour plays neatly into the fraudster’s hands and phishing messages often contain a component that elicits an emotional response as seen in the examples above.
How to Stay Safe from Social Engineering
Social engineering is dangerous because it uses our natural behaviour to get us to click a malicious link or download an infected attachment. But phishing fraudsters also adjust techniques and tools to ensure continued success. The shifting patterns of phishing, coupled with a sophisticated manipulation of targets, make this insidious cybercrime types one of the most difficult to deal with. No single solution exists to prevent phishing success. Instead, a mix of Security Awareness Training and technical solutions are needed to detect and prevent a phishing attempt.