Whenever the topic of cyber crime comes up, leaders at organizations everywhere often have one question: How do fraudsters and hackers convince so many people to hand over their passwords? The simple answer is social engineering.
People are social by nature, with a decision-making process that’s highly responsive to the people around them. Some cyber criminals exploit that sociability, gaining the trust of a user for the purpose of committing a crime, using tricks and tactics found in social engineering.
Social engineering is not new and not always bad. But when it comes to cyber crime, social engineering attacks can lead to outcomes that hurt your business and your customers. Here’s what to know and how to reduce your risk.
Where Social Engineering Comes From
The concept of social engineering is thought to be more than 100 years old. The first known use of the term appeared in an essay by the Dutch industrialist J.C. van Marken in 1894. As the founder of a chemical factory, van Marken coined the term while exploring ways to help motivate and reward factory workers for increasing their productivity.
Later, Edward L. Earp expanded on the idea with a 1911 book called The Social Engineer. Earp was an American seminarian concerned with philanthropy and societal issues. In his book, Earp theorized that an educational approach to social problems could help minimize conflict and improve society. This type of social engineering has evolved to play a key role in many areas of life, including business, culture and politics.
Examples of social engineering can also be found in the history of pop culture, particularly in stories about spies or conmen. In the James Bond spy series, the hero 007 is often approached by female spy characters attempting to either trick him into divulging secret information or to lure him into a trap. Similarly, the film Catch Me If You Can depicts Leonardo DiCaprio as the real-life conman Frank Abagnale, as he cons authorities with his impersonations of pilots, doctors and Secret Service agents.
How Social Engineering Uses Psychology
In some ways, the social engineering of modern-day cyber criminals isn’t too different from the spy intrigues of James Bond or the confidence games con artists like Abagnale used to play. Online hackers use similar psychological tricks and tactics on CEOs, company employees, business clients and retail customers.
When you are a victim of criminal social engineering, you are tricked into revealing sensitive information and allowing access to secure systems, often without realizing what you’re doing. Part of the trick is in the psychology that gets you to say “yes” to a cyber criminal’s request without thinking about it.
As one of the top experts on persuasion, Robert Cialdini has spent his career studying what leads people to say “yes” to requests. His work has led him to be the Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University, a best-selling author of books with titles including Influence and Pre-Suasion, and an advisor to VIP clients like Google, Coca Cola and NATO.
Cialdini is famous for identifying six “principles of persuasion” that can cause people to say “yes” even when they normally wouldn’t. A closer look at each principle can help explain why a cyber criminal’s social engineering works so well on its targets:
The first principle, according to Cialdini, is reciprocity. If someone receives a gift, there is a strong impulse to respond in kind. Research shows it can even trigger the decision-making areas of the brain. The results can be significant. One study showed 48% of people would give up their password for a piece of chocolate.
Cyber criminals frequently offer gifts to their targets in the hopes the reciprocity principle will pay off. Offers of free coupons, downloads, discounts and more are used to get targets to provide something in return, such as clicking a link, visiting a website, filling out a contact form or logging into their account. When the target does so, it can compromise their cyber security. Checking out a free online offer before accepting it can reduce your risk of getting hacked.
Cialdini’s scarcity principle says that limited supplies and approaching deadlines can cause people to take action when they otherwise wouldn’t. This happens because people tend to value something more when they are told there is a limited supply. One research study found that test subjects judged an offering of cookies as most appealing when there were only a few cookies left.
The scarcity principle works well for cyber criminals, too. A malicious download that’s only available for the next 24 hours or a discount offer limited to the next 10 people who fill out a signup form are examples that work better because of the advertised scarcity. Another tactic can involve fraudulent messages telling you an important account will be deactivated or deleted in 24 hours unless you click the hacker’s link to resolve the problem. In any case, taking action before making sure the offer is legitimate and safe can let attackers into your system.
Authority figures can greatly influence thoughts and actions, according to another of Cialdini’s principles. Orders from officials, leaders, bosses, doctors, teachers and first responders often go unquestioned, even when there are doubts about whether you should follow them. In one infamous study known as the Milgram experiment, a researcher was able to convince study participants to press a button they were told would cause a hidden person an electric shock. While some of the participants had misgivings, most complied due to the authority of researcher.
Cyber criminals targeting organizations will often exploit the authority principle. A social engineering target might receive an urgent email that appears to be from their supervisor, their CEO or a VIP client. The message requests login information or help completing a financial transaction. Despite having security procedures in place not to do so, many workers will comply with the hackers request because of the perceived authority. When they do, accounts can be compromised and funds can be stolen.
Integrity is highly valued in social settings. The consistency principle says that people not only value consistent behavior from others, they also worry about being consistent in their own thoughts and behaviors. This often results in your prior statements or actions influencing your future behavior. For example, a study asked hotel guests to commit to environmentally helpful behavior and found that the reuse of towels went up 25%.
When it comes to cyber criminals, the consistency principle can be a powerful tool. If a target agrees to complete a request later, they may be more likely to do so, even if they have misgivings. Hackers may also lead a target into breaching their own safety protocols over several smaller steps, instead of one big leap. Because the previous requests for clicks or information did not lead to a hack, a target may be more willing to comply with a future one that does.
It’s easier to say “yes” to a friend than a stranger. For Cialdini, this is called the liking principle. Being likeable, doing nice things for someone and cultivating friendships are all things you might do when you need someone to trust you and comply with your requests. Research has shown that people are more likely to comply with a request if the person making the request has just done something nice for them, such as bringing them a free soda.
Some cyber criminals will exploit the liking principle to more easily convince a target to comply with their request. Since a hacker will always be a stranger to you, it makes sense for them to pretend to be someone that you already know. A cyber criminal will either impersonate someone you know with a fake account or gain access to the real email account of someone you know, such as a friend or coworker, and then make their request. Whether a malicious download, website or form, the result will be the same when you comply with their request — your security will be compromised.
Group dynamics are another key to human nature. The consensus principle says that the people around you tend to influence your thoughts and actions, particularly when there is uncertainty. It can be very persuasive when a group forms an opinion about how to think about something or what to do in a particular situation. In one experiment, researchers gathered individual opinions about an optical illusion. The opinions on how much a dot of light was moving varied, until the participants were placed in groups. Then opinions reached a consensus and remained fixed, even after the groups were broken up again.
For cyber criminals, the consensus principle means that a target is more likely to comply with a request if they believe other people are also doing so. This is often exploited in times of crisis. Numerous cyber scams have referenced Covid-19 and the war in Ukraine in attempts to gain access to systems or solicit donations. Some messages will even claim a list of people you know has also downloaded a file or made a donation. But sometimes, such messages are not legitimate.
How to Manage the Risks of Social Engineering
A lot of cyber crime involving social engineering is difficult to protect against because the tricks used so easily exploit your natural instincts and behavior. However, learning more about the risk can make it easier to spot when you’re being manipulated.
If you receive an email message that appears to use one of Robert Cialdini’s six principles of persuasion, slow down. Carefully examine the message, the sender, the links and the attachments before responding, clicking or downloading anything. Sometimes, the message may be legitimate — your real friends and colleagues could be sending a genuine request. However, there’s also a good chance the message is not real. If unsure, follow your organization’s security protocols and use a different method of communication to verify if the request is legitimate.
While cyber security training can reduce the likelihood of falling for a social engineering scam, it can’t completely eliminate the risk. Businesses lose millions of dollars every year to hacks that often start with a simple social engineering scam. To protect yourself, make sure you have the right insurance.
CyberLock Defense is a one-of-a kind cyber liability policy that offers comprehensive coverage at rates more affordable and more accessible than other cyber liability policies that are available. Coverage can help defend against cyber criminals, covering costs related to cyber attacks, privacy breach notification expenses, litigation, loss of income and regulatory fines and penalties. To learn more, visit CyberLockDefense.com.