May 14

0 comments

Psychology of Social Engineering Attacks

It never ceases to amaze how fraudsters get away with scams, with the media reporting on victims who have fallen to the many smooth-talking fraudsters peddling their seemingly plausible stories.

Most people are aware of the 419 scams in which scammers contact you out of the blue, sometimes they build up a relationship and become a ‘friend’, and then comes an urgent request to transfer huge sums of money and they need your assistance, or rather your bank details and financial information to make it happen. And of course, it doesn’t as there isn’t any huge fortune and the people who have been duped end up losing more than money. Yet it’s still happening today, though in increasingly more sophisticated ways and if you think you’re infallible and would never fall for anything so crude, think again. It only takes one moment of weakness, one bad judgement and scammers have gained entry into your business operations and are causing havoc.

In this post we discuss the increase of sophisticated social engineering scams and how you can help to protect your employees and businesses against them.

Compelling, sophisticated – social manipulation at its finest

Social engineering has become known as a term for a wide range of malicious activities on the internet. Hackers use psychological manipulation to get users to divulge sensitive information.

Social Engineering is usually perpetrated and carefully planned. First, the hacker investigates the background of a user to gather info such as potential weak spots and entry points. What happens next is the hackers then try to gain the trust of the intended victim, and lull them into a false sense of security, to the extent that they end up breaking security protocols.

What are the four emotions used to great effect in social-engineering?

It is essential for IT security officers to stay on top of how hackers operate and understand how social engineering attacks are designed. Because even the most secure of systems will fail is someone within the business falls victim to a scam. Cyber criminals usually exploit four basic human emotions and conduct their malicious activities through a) FEAR, b) OBEDIENCE, c) GREED and d) USER HELPFULNESS.

FEAR is the most manipulated emotion in social engineering malicious campaigns. You might get a phone call or an email stating your security has been compromised, urging you to change your login credentials. Social engineering attacks using fear as a catalyst, rely on you to act quickly and without thinking.

OBEDIENCE – Scammers prey on the user compliance with laws and regulations, and it’s commonly used to trick them into divulging sensitive information. Cybercriminals may pose as higher authority relying on users to obey their orders and reveal information they need, to conduct an attack or collect data. Most phishing scams are done through a simple channel like an email, instant message or a phone call.

GREED for monetary rewards, is next in line for designers of social engineering campaigns. You may get a notice from a bank or a legal representative asking of you to reveal your bank account information in order to receive a monetary reward of some sort. What they would usually offer in return for a small favour is a handsome compensation, and you simply can’t refuse this offer.

USER HELPFULNESS is the last, but not least exploited emotion played upon in social engineering scams. Malicious campaigns designed to exploit helpfulness are most commonly targeting customer support. Cybercriminals obtain partial information about an account holder and through customer service may acquire additional data like bank account or credit card information. It’s easily done as people are conditioned to trust based on their own values and morals framework and it’s difficult to always understand that not everyone is operating with the same level of integrity.

People are the weakest link

People aren’t machines, and make decisions based on emotions. Since they don’t always verify the accuracy or authenticity of each information source they encounter, it can result in them making bad judgement calls. And that is exactly what cybercriminals are counting on when designing social engineering scams.

2019 Cybersecurity Trend Report states that 65% of enterprises acknowledge social engineering to be the most serious security threat that their business is facing. Employees are the guardians of important data, yet they are also the point of vulnerability for each system. Web form passwords, bank account information and credit card details can be obtained through trickery and scams.

Fighting back with company governance and adopting a security mindset culture

There are a few simple processes and working structures which can be easily brought into any organisation if they’re not already.

    1. User security training and employee awareness programs will help your organisation stay on top of the game.
    2. Set a procedure in place, one that will allow your employees to go to the right person when they receive a phishing email or a suspicious phone call.
    3. Make sure you educate your employees about the security procedures and the importance of why they need to act in compliance with security protocols.
    4. People tend to forget or can get lazy about their security practices, which is why you need to schedule in regular reminders for them to not drop their guard.

Adopting a security mindset culture is not about adopting a culture of working in constant fear of an attacker, but rather being mindful of the potential risks and threats.

The National Cyber Security Centre provides invaluable information, resources and assets to download and share with across the business. We recommend making it habit to visit the site regularly as part of your security mindset best practice.

One thing to do which costs nothing but takes you one step further towards protecting yourself and your business is to sign up for up for one of our free vulnerability scans. Working in partnership with Qualys – our free scan can identify points of vulnerability or potential issues and we provide recommendations on how to resolve them so you remain focused on keeping you business protected from online security threats.

Why trust us? After all, we’ve only been warning you about the sophisticated ways scammers operate and not to trust people. We’re Cyber Essentials Plus verified and have ISO 27001 accredited – both of which can be checked and confirmed.

If you have any questions, concerns or issues about your online security and how to keep your business and employees protected – then give us a call on +44 (0)20 3745 7706 or email us on [email protected] where there will be a craftsman happy to help.


Tags


You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Keep up to date with the latest developments in server security