BR +55 11 3069 3925 | USA +1 469 620 7643

Information Security and the Psychology of the Social Engineer

by | Jan 10, 2020 | BLOG

When it comes to Information Security, a hot topic right now is Social Engineering. As famous hacker and social engineer Kevin Mitnick defines in his book “The Art of Deception”:  

“You might say there are two specialties within the job classification of con artist. Somebody who swindles and cheats people out of their money belongs to one sub-specialty, the grifter. Somebody who uses deception, influence, and persuasion against businesses, usually targeting their information, belongs to the other sub-specialty, the social engineer.”

Although this classification may be considered, the term “social engineer” ends up being used for both cases nowadays. One can say, therefore, that Social Engineering is a practice that consists of using interpersonal skills, previously acquired knowledge and other tricks to reach some goal (usually criminal) through the manipulation of others. 

We already covered Social Engineering in the article All about Social Engineering. The focus now is on the one who practices it: the Social Engineer.  

Do you know what the social engineer profile is? What are the techniques they commonly use? What are the patterns of behavior and psychoanalytic concepts that the social engineer knows about and uses to succeed in their goals?

Let’s explain through situations that are common.

A person receives an email from their bank informing them that they are in arrears and that their social security number is being suspended. Immediately, they click on the link included in the message and are redirected to the bank’s login page, where they are asked to enter their username and password. It turns out that this email was not sent by the bank, but by a hacker impersonating the bank, and by entering their username and password to perform the alleged login, the person enables the hacker to collect their credentials. In this example, we see a very simple yet effective social engineering technique, which is quite common, called phishing. 

But if this is a well-known and constantly warned practice to avoid, why do many people still continue to fall for it? What is the mental trigger used here? 

In this case, what acts in the victim’s mind is the trigger for loss or urgency. When faced with information that their social security number will be suspended, usually along with information such as “this is our last contact before we suspend it” or “resolve this pending issue to avoid suspension”, the victim has a sense of seeing something being taken from them, which unconsciously creates an emergency effect that stops them from reasoning coldly and noticing some details that would otherwise make them realize the attempted scam. Interestingly, many of the triggers used by social engineers are the same as those used by marketers to get consumers to buy.

Now imagine another scenario: At a big festive event, a well-dressed person comes to the security guard urgently and speaks with authority, asking him to quickly take the person to someone so that they can solve an important issue that, if not resolved soon, will ruin the start of the show. The security guard then apologizes saying he can’t leave the door but indicates where the well-dressed person can find the guy, letting them go.

In this example, we can observe several important things. The first is that Social Engineering does not apply exclusively to Information Security or to IT resources. Although constantly present in these means, Social Engineering can be used in any sphere so that the perpetrator can take advantage for themselves, as in our example, to gain access to the event without paying.

Another interesting point is the mental triggers used to succeed in their intent. Again, we can look at the trigger of loss or urgency: the loss of the event if the issue is not resolved, as seen in the previous example. But here, we can go further. The social engineer, in making their approach, also makes use of the scarcity trigger, which in this case is time. Human beings tend to unconsciously give more importance to what they are about to lose. The scarcity of time in the exemplified scenario makes it necessary to quickly resolve the issue to avoid loss, so various mechanisms that the security guard would normally adopt – such as credential identity verification to allow access – are set aside due to the need.

Also, another trigger used here is the one of authority. This is because people are instinctively inclined to follow who they consider superior. By presenting themselves well dressed and speaking with authority, the attacker activates this trigger, making the victim more likely to accept their suggestion.

As we look at these and other examples that highlight vulnerabilities rooted in the human mind, the following questions arise: what should we do in the face of such weaknesses that end up disrupting all the costly technological efforts, protocols, software, and defense mechanisms implemented to protect information and organizations? Would more investment in technologies, cameras, systems, biometrics, etc solve the problem?

What has been observed in relation to Social Engineering and its risks to Information Security is that these efforts are not effective. While systems, firewalls, and control mechanisms can provide their benefits, the human factor is widely considered the weak point of any system. And since the human factor, at least for now, will always be present in these systems, the most effective solution is to “reprogram” these mental vulnerabilities.

Just as the social engineer can use gaps in the human mind to achieve their goals, it is possible, through well-established training, exercises, and protocols, to minimize the risk of success for these attackers. If the human being is the “weakest link” of Information Security, it is worth investing in the protection of the link.

Top 7 Types of Phishing Attacks and How to Prevent Them

Social engineering, in the context of information security, consists of practices performed by hackers to manipulate users to take actions that go against their interests, exploiting their vulnerability and lack of knowledge for their benefit. One of the main types of...

ISO 27001 – What is the importance of having achieved the certification

The process of digital transformation has intensified in companies of all sizes and industries, and is considered an essential factor for business success. One of the main consequences of this process is the exponential growth in the amount of data from customers,...

Principle of Least Privilege: Understand the Importance of this Concept

Granting administrator access to a user who does not even have time to explain why they need this permission is not an efficient way to solve a company's problems but rather to harm its security.  This is because sensitive data can fall into the wrong hands through a...

How to Prevent DDoS Attacks in Your Company?

There are several methods by which malicious agents attack websites and destabilize network services and resources. One of the most widely used techniques is the DDoS attack, which means distributed denial-of-service. Through this attack, a website ends up becoming...

Gartner and PAM: What Does One of the Most Important Consulting Companies in the World Say About this Cybersecurity Solution?

All of us have already heard of digital transformation at some point. This phenomenon affects companies of all verticals and sizes and has been gaining prominence in the market.  Digital transformation increasingly requires organizational leaders to adapt their...