Cybercriminals exploit numerous vulnerabilities when attempting to break into a network. Did you know that the most readily exploitable vulnerabilities are your employees or even yourself?
According to a study by KnowBe4, 70%-90% of breaches result from social engineering and phishing attacks. But why are humans so susceptible to these types of attacks? It turns out human nature is to blame.
Until we are given a reason to be suspicious, we tend to assume those around us are harmless. Unfortunately, we don't always see the signs of suspicion that exist, and the human mind is very susceptible to persuasion.
According to behavior psychologist Robert Cialdini, individuals create influence over others in seven significant ways. These tactics are often used in social engineer attacks to achieve an attacker's goals.
Let's take a look at these seven methods and how social engineers use them:
When someone goes out of their way to do something kind for you, you will feel compelled to return the favor. Imagine a receptionist at the front desk responsible for allowing or disallowing guests access to an office.
Suppose a social engineer comes across as kind, bringing the receptionist coffee or donuts, or merely complimenting her. In that case, the receptionist may feel more compelled to allow the social engineer access to the office if he says he has forgotten his badge.
Read more about physical social engineering exploits here.
Scarcity is used to make a person feel a sense of urgency. For example, if someone receives an email stating that they need to act immediately or miss out on an exclusive offer, they might throw caution to the wind and click a malicious link.
Humans tend to obey others that they perceive to have authority. In social engineering, an attacker may con a victim into believing that they are an authoritative figure.
Imagine you receive an email that you think is from the vice president of your organization. If that person demands that you do something immediately, you are more likely to comply.
Learn more about how hackers target high-permission leaders or senior employees here.
When you like a person, you'll feel more compelled to help them out when they ask. Social engineers know this too. The best con-men are the ones who are friendly and charismatic.
5. Commitment and Consistency
Upon the first encounter with a social engineer, you may brush them off. However, if they continually show up in your life in a consistent manner, you may begin to feel some sort of allegiance to them. If they ask you to do something, and you agree, they will be sure to hold you accountable to your commitment.
6. Consensus/Social Proof
You have likely heard of the term “herd mentality.” It’s often used to describe behavior that occurs during riots. Essentially, we are more willing to engage in an activity if we see others do it first.
An example of this being used in social engineering would be when the attacker claims that a colleague of yours provided them access last week, so you should do the same.
We are more receptive to individuals who we identify with. If you are a low ranking member and feel that you are not receiving enough respect, you will likely be more open to someone if they tell you that they can relate to your pain.
Attackers are desperate to turn these methods of influence into financial gain. There are countless ways that attackers can manipulate human psychology, but some techniques seem to be more successful than others. For example, a prevalent and effective method is to include a dialog box within Microsoft documents stating that macros must be enabled. Once the macros are enabled, they can trigger the installation of malware on the user’s system. Let’s look at a few of the other most effective techniques used by social engineers.
- Sextortion - Cybercriminals catphish their victims into sending compromising videos or photos while pretending to be a prospective love interest. These videos and images are then used to blackmail the victim.
- By Affinity - This attack occurs through the use of unity. Cybercriminals work to identify with their victim and build a level of trust. Criminals typically use lower-ranking employees and more accessible people within companies to get information about other, better-positioned employees in the business hierarchy.
- False Recruiter - Employees regularly receive messages from headhunters, especially if they are actively looking for a new job. Most employees won’t suspect that the recruiter they are dealing with is only dangling a potential new role in front of them to gather information about their current company.
- Older Trainee - Younger or less experienced employees might be keen to receive advice and network with individuals who pose to be experts in the field. An attacker posing as a helpful mentor may be able to find in-depth details about that employee’s role in the company and how the company handles privacy and security.
- Bots - A bot refers to a computer that has been infected by malware and is now controlled by an attacker. A large group of bots is known as a botnet. Bots can infect web browsers and hijack sessions. Suppose your computer becomes a part of the botnet. In that case, that computer may be used to send unsolicited messages to your friend and family, enticing them to click on malicious links to add their machines to the botnet.
How Would You Staff Fair Against Human Manipulation?
While antivirus software, anti spam programs, and other security controls are important to have in place, the best way to ensure that a social engineering attack fails, is user training.
Do you believe that your organization and employees are susceptible to these types of attack techniques?
If so, schedule a call with Mitnick Security to learn more about Social Engineering Strength Testing.