Social engineering is a method to manipulate people into doing something, such as divulging confidential information. It could be seen as the hacking of the human mind.
Compared to, for example, software, the human mind has far more vulnerabilities that are significantly simpler to find and exploit since they do not require any special expertise like code or computer language.
To become aware and protect ourselves against this form of hacking, we need to look at the psychology and methods used by social engineers.
Let’s start with a phone call:
“Sir, we have had a power outage here, we are in a hurry and can’t restart without the master-boot-password. Would you please tell me? It’s just a mess here!” This may be a call received by a help-desk that a security consultant immediately identifies as an attempted social engineering attack.
Although this may be one of the most often used tricks, some social engineering methods may be less obvious and less noticeable.
For example, a salesman could use information from the social media account of an employee in the purchase department of a potential costumer to get on his good side. Or a senior citizen could get a call from an investment consultant telling him he could make millions out of a very new and very secret investment opportunity if he will only pay 10.000€.
Social engineering is a method to influence people and stimulate people to behave or act in a certain way. Often it happens when you’re not expecting it, and in some situations you won’t even find out you have been part of it.
The easiest way to learn about social engineering is to imagine being a social engineer. Pretend for a minute your goal is to steal a very expensive television from the conference room of a hotel. You might decide to masquerade as a technician, taking the television for maintenance. But before you do this, you’ll want to investigate the situation:
You will have to investigate how many employees the hotel has and what their jobs and schedules are. You should also check for how the staff identifies and welcomes guests and workers. With that knowledge, you can determine if they would stop a technician and ask where he or she is heading. If so, you’ll want to prepare a good explanation or even design a work order to show to employees asking questions.
You could plan to steal the television when a conference is scheduled, so the likelihood of being noticed is even smaller because of all of the other technicians there preparing the room.
Then, you should plan how to get the television out of the hotel. If you choose to walk through the lobby, you will have to pass the staff at the front desk. This could work in a large hotel where there is a lot going on, but it won’t in a small one. You will need another way out.
The limits of human behavior
When you stole that television (in your head), you likely encountered a number of employees who could have stopped you. Someone at the front desk could have asked to see your work order. One of the real technicians in the conference room could have seen that you were not a normal colleague and asked where you were from. Someone from maintenance could have seen you with a large television and asked where you were going.
So why didn’t they?
In order for someone to do that, they would have to:
- Notice you
- Figure out that something was wrong or that you are not a real technician
- Be beware of their responsibility to take action
- Know how to act with a potentially dangerous intruder
- Know what kind of action to take or who to call in this particular situation
This is simpler in theory than in practice because you took to prevent these things:
- You act just like other employees in the hotel so nobody will even notice you.
- You wear the right clothes, have an “official” work order and have a toolbox with you.
- You make it look like you are doing normal, legitimate work. It’s not unusual to bring equipment from one conference room to another. You can also claim that this television is broken and needs to be repaired, or that it’s old and there is no longer any use for it.
- You threaten any employee who suspects you. You show your order to dismount the television and say the boss will be very angry if you discuss this any longer, because you’re in a hurry and he is wasting your time.
Why does this work?
It works because of normal human behaviour. When you look the part and play it with confidence, it’s unlikely someone will guess your true motives. Second, normal employees aren’t very likely to question orders given by a supposed superior unless they become really suspicious.
The solution to this problem — and they way to prevent the loss of money, reputation or critical information through similar examples of social engineering — is to train employees to become confident in spotting and reacting in situations like these.
5 steps to take action
Security Awareness teaches the right actions to take at the right time:
- Explain possible incidents and their consequences. For example, a laptop getting stolen is an expensive loss of hardware but can also make confidential information vulnerable.
- Explain that it is normal to be cautious. Not every criminal looks like one. They come in all shapes and sizes.
- Show ways to take action and check situations without insulting people when your presumption is wrong. Make sure every employee knows where they can report suspicious situations.
- Teach about how everyone has a certain amount of responsibility and encourage them to take this responsibility.
- Train employees in how to behave or intervene in potentially dangerous situations without putting themselves and others at risk.
By training employees to recognize and respond to attempts at social engineering, they will be more confident to act and prevent damage from taking place. It will help to protect your money, reputation and confidential information.