Information Security and the Psychology of the Social Engineer
When it comes to Information Security, a hot topic right now is Social Engineering. As famous hacker and social engineer Kevin Mitnick defines in his book “The Art of Deception”:
“You might say there are two specialties within the job classification of con artist. Somebody who swindles and cheats people out of their money belongs to one sub-specialty, the grifter. Somebody who uses deception, influence, and persuasion against businesses, usually targeting their information, belongs to the other sub-specialty, the social engineer.”
Although this classification may be considered, the term “social engineer” ends up being used for both cases nowadays. One can say, therefore, that Social Engineering is a practice that consists of using interpersonal skills, previously acquired knowledge and other tricks to reach some goal (usually criminal) through the manipulation of others.
Do you know what the social engineer profile is? What are the techniques they commonly use? What are the patterns of behavior and psychoanalytic concepts that the social engineer knows about and uses to succeed in their goals?
Let’s explain through situations that are common.
A person receives an email from their bank informing them that they are in arrears and that their social security number is being suspended. Immediately, they click on the link included in the message and are redirected to the bank’s login page, where they are asked to enter their username and password. It turns out that this email was not sent by the bank, but by a hacker impersonating the bank, and by entering their username and password to perform the alleged login, the person enables the hacker to collect their credentials. In this example, we see a very simple yet effective social engineering technique, which is quite common, called phishing.
But if this is a well-known and constantly warned practice to avoid, why do many people still continue to fall for it? What is the mental trigger used here?
In this case, what acts in the victim’s mind is the trigger for loss or urgency. When faced with information that their social security number will be suspended, usually along with information such as “this is our last contact before we suspend it” or “resolve this pending issue to avoid suspension”, the victim has a sense of seeing something being taken from them, which unconsciously creates an emergency effect that stops them from reasoning coldly and noticing some details that would otherwise make them realize the attempted scam. Interestingly, many of the triggers used by social engineers are the same as those used by marketers to get consumers to buy.
Now imagine another scenario: At a big festive event, a well-dressed person comes to the security guard urgently and speaks with authority, asking him to quickly take the person to someone so that they can solve an important issue that, if not resolved soon, will ruin the start of the show. The security guard then apologizes saying he can’t leave the door but indicates where the well-dressed person can find the guy, letting them go.
In this example, we can observe several important things. The first is that Social Engineering does not apply exclusively to Information Security or to IT resources. Although constantly present in these means, Social Engineering can be used in any sphere so that the perpetrator can take advantage for themselves, as in our example, to gain access to the event without paying.
Another interesting point is the mental triggers used to succeed in their intent. Again, we can look at the trigger of loss or urgency: the loss of the event if the issue is not resolved, as seen in the previous example. But here, we can go further. The social engineer, in making their approach, also makes use of the scarcity trigger, which in this case is time. Human beings tend to unconsciously give more importance to what they are about to lose. The scarcity of time in the exemplified scenario makes it necessary to quickly resolve the issue to avoid loss, so various mechanisms that the security guard would normally adopt – such as credential identity verification to allow access – are set aside due to the need.
Also, another trigger used here is the one of authority. This is because people are instinctively inclined to follow who they consider superior. By presenting themselves well dressed and speaking with authority, the attacker activates this trigger, making the victim more likely to accept their suggestion.
As we look at these and other examples that highlight vulnerabilities rooted in the human mind, the following questions arise: what should we do in the face of such weaknesses that end up disrupting all the costly technological efforts, protocols, software, and defense mechanisms implemented to protect information and organizations? Would more investment in technologies, cameras, systems, biometrics, etc solve the problem?
What has been observed in relation to Social Engineering and its risks to Information Security is that these efforts are not effective. While systems, firewalls, and control mechanisms can provide their benefits, the human factor is widely considered the weak point of any system. And since the human factor, at least for now, will always be present in these systems, the most effective solution is to “reprogram” these mental vulnerabilities.
Just as the social engineer can use gaps in the human mind to achieve their goals, it is possible, through well-established training, exercises, and protocols, to minimize the risk of success for these attackers. If the human being is the “weakest link” of Information Security, it is worth investing in the protection of the link.