Social Engineering: Why Hacking Humans Is Easier Than You Think

11/29/2017

hacking humanAs Mark Twain once waggishly observed, “There is a great deal of human nature in people,” which means that any organization with people on the payroll faces myriad cybersecurity risks posed by social engineering. 

The term ‘social engineering’ covers a multitude of deceptive attacks, from the all-too familiar phishing, spear phishing and whaling hacks, to less publicized but equally destructive ploys, such as:

  • Pretexting–thieves invent and exploit a false scenario to establish legitimacy, then trick the target into taking an action or revealing information they ordinarily would not; pretexting works because scammers often impersonate authority figures, such as police officers, bank executives, tax authorities and even clergy.
  • Baiting–the MO in this scheme includes planting malware-infected thumb drives or other physical media in public places and counting on peoples’ natural inquisitiveness to load it on a computer and check it out.
  • Quid-pro-quo (from Latin meaning “something for something”)–QPQ attackers call a company’s employees at random, ostensibly to help with an IT issue that ‘someone there called in.’  Eventually, the crook connects with someone who actually needs IT support and talks them into giving over login or other security credentials.

So Why Are People Such Easy Pickins?

Basically, because we just can’t help being who we are, according to independent consultant and sociologist Dr. Jessica Barker. “Whether online or not, people fall for social engineering because attacks take advantage of human nature,” says Barker.  Scammers understand how people think and act, and know that most will follow social and cultural norms and do what is expected (such as complying with instructions seemingly emailed from a superior or strategic partner). Traits that make people most susceptible, according to Barker, include being:

  • Curious:  “Humanity is innately curious,” which is why we find clever click-bait titles, engaging images and emails that sound like they kinda-sorta-may be legit just alluring enough to merit a click.
  • Na├»ve: Because most people see themselves as generally good and inherently trustworthy, they can innocently forget that others will act maliciously.  Online, this naivety often moves people to follow a link (or several) without considering the cybersecurity implications.
  • Narcissistic: Narcissism includes a craving for admiration, which may help explain why so many social media users, especially younger ones, constantly seek more followers and publicly share reams of detailed, highly personal information. This practice positions Facebook and other popular platforms as the ideal breeding ground for ‘catfishing’ and other socially engineered attacks.
To effectively mitigate social engineering threats, business leaders must create a robust cybersecurity culture that not only raises employee awareness, but, through ongoing education and training, encourages a ‘question everything’ or ‘think-before-you-click’ mentality that helps workers avoid accidently exposing sensitive information. Work with us to review and update your IT security policies.