Felipe Contin Sampaio 3:26 PM (0 minutes ago) to me

BR +55 11 3069 3925 | USA +1 469 620 7643

Information Security and the Psychology of the Social Engineer

by | Jan 10, 2020 | BLOG

When it comes to Information Security, a hot topic right now is Social Engineering. As famous hacker and social engineer Kevin Mitnick defines in his book “The Art of Deception”:  

“You might say there are two specialties within the job classification of con artist. Somebody who swindles and cheats people out of their money belongs to one sub-specialty, the grifter. Somebody who uses deception, influence, and persuasion against businesses, usually targeting their information, belongs to the other sub-specialty, the social engineer.”

Although this classification may be considered, the term “social engineer” ends up being used for both cases nowadays. One can say, therefore, that Social Engineering is a practice that consists of using interpersonal skills, previously acquired knowledge and other tricks to reach some goal (usually criminal) through the manipulation of others. 

We already covered Social Engineering in the article All about Social Engineering. The focus now is on the one who practices it: the Social Engineer.  

Do you know what the social engineer profile is? What are the techniques they commonly use? What are the patterns of behavior and psychoanalytic concepts that the social engineer knows about and uses to succeed in their goals?

Let’s explain through situations that are common.

A person receives an email from their bank informing them that they are in arrears and that their social security number is being suspended. Immediately, they click on the link included in the message and are redirected to the bank’s login page, where they are asked to enter their username and password. It turns out that this email was not sent by the bank, but by a hacker impersonating the bank, and by entering their username and password to perform the alleged login, the person enables the hacker to collect their credentials. In this example, we see a very simple yet effective social engineering technique, which is quite common, called phishing. 

But if this is a well-known and constantly warned practice to avoid, why do many people still continue to fall for it? What is the mental trigger used here? 

In this case, what acts in the victim’s mind is the trigger for loss or urgency. When faced with information that their social security number will be suspended, usually along with information such as “this is our last contact before we suspend it” or “resolve this pending issue to avoid suspension”, the victim has a sense of seeing something being taken from them, which unconsciously creates an emergency effect that stops them from reasoning coldly and noticing some details that would otherwise make them realize the attempted scam. Interestingly, many of the triggers used by social engineers are the same as those used by marketers to get consumers to buy.

Now imagine another scenario: At a big festive event, a well-dressed person comes to the security guard urgently and speaks with authority, asking him to quickly take the person to someone so that they can solve an important issue that, if not resolved soon, will ruin the start of the show. The security guard then apologizes saying he can’t leave the door but indicates where the well-dressed person can find the guy, letting them go.

In this example, we can observe several important things. The first is that Social Engineering does not apply exclusively to Information Security or to IT resources. Although constantly present in these means, Social Engineering can be used in any sphere so that the perpetrator can take advantage for themselves, as in our example, to gain access to the event without paying.

Another interesting point is the mental triggers used to succeed in their intent. Again, we can look at the trigger of loss or urgency: the loss of the event if the issue is not resolved, as seen in the previous example. But here, we can go further. The social engineer, in making their approach, also makes use of the scarcity trigger, which in this case is time. Human beings tend to unconsciously give more importance to what they are about to lose. The scarcity of time in the exemplified scenario makes it necessary to quickly resolve the issue to avoid loss, so various mechanisms that the security guard would normally adopt – such as credential identity verification to allow access – are set aside due to the need.

Also, another trigger used here is the one of authority. This is because people are instinctively inclined to follow who they consider superior. By presenting themselves well dressed and speaking with authority, the attacker activates this trigger, making the victim more likely to accept their suggestion.

As we look at these and other examples that highlight vulnerabilities rooted in the human mind, the following questions arise: what should we do in the face of such weaknesses that end up disrupting all the costly technological efforts, protocols, software, and defense mechanisms implemented to protect information and organizations? Would more investment in technologies, cameras, systems, biometrics, etc solve the problem?

What has been observed in relation to Social Engineering and its risks to Information Security is that these efforts are not effective. While systems, firewalls, and control mechanisms can provide their benefits, the human factor is widely considered the weak point of any system. And since the human factor, at least for now, will always be present in these systems, the most effective solution is to “reprogram” these mental vulnerabilities.

Just as the social engineer can use gaps in the human mind to achieve their goals, it is possible, through well-established training, exercises, and protocols, to minimize the risk of success for these attackers. If the human being is the “weakest link” of Information Security, it is worth investing in the protection of the link.

The main causes of data leaks

Data leaks occur whenever a user or organization has their sensitive information exposed, putting the security and privacy of companies and people at risk. Know more! The Data Breach Investigation Report 2022, conducted by the Ponemon Institute, provides an overview...

What is the SOC 2 report and why is it important for senhasegura?

SOC 2 provides a report after completing the audit. Recently, senhasegura conquered this milestone, providing details on the principles of confidentiality, processing integrity, availability, and information security. Want to know more about this subject? Read our...

What is a lateral movement attack and how does it occur?

A lateral movement attack occurs when the cybercriminal gains access to an initial target to move between devices within the network without their presence being noticed. In this article, we explain in detail what side threats are and how to avoid them. Want to know...

Why are government organizations favorite targets for cybercriminals?

The government segment was one of the most attacked by hackers in the last quarter of 2022. Learn more! In recent years, malicious actors have demonstrated a propensity to attack government organizations, including through ransomware, although governments are not...

Building a Ransomware Incident Response Plan

Ransomware is a type of cyberattack where malicious attackers lock down their victims' computers and demand a ransom to unlock. In this, we show you how to create a response plan for incidents involving ransomware. Want to know everything about it? Read our text until...