Psychologically, we carry a powerful tool called trust. Trust increases our comfort level to allow us to speak and act more freely. But what if someone could develop an algorithm that could create trust, as human relationships do?
Such an algorithm would make the human a part of the trust equation vulnerable. This kind of manipulation is known as social engineering, something that hackers rely on for 98 percent of attacks. In the FBI’s 2018 Internet Crime Report, 26,379 people reported being a victim of a social engineering attack—costing nearly $50,000,000 in losses in just one year.
A social engineer will manipulate their target using email, phone, or in-person tactics to acquire confidential information. Through observing personal mentalities, reoccurring routines, and relationships, the social engineer can develop the appearance of an individual you might naturally trust.
The Structure of Social Engineering
There are three main categories of behavior that a social engineer might use to manipulate and exfiltrate information from a target.
1) Pretext (Identity Development)
To develop a trustworthy identity, the social engineer must combine the target’s personal information, the context, and their goals. For example, this actor could be impersonating members of your IT team, a vendor, a bank representative, a new coworker, or a mutual friend. Doing this well requires dedication and time, further enforcing the credibility of the relationship.
Examples of credible behaviors include:
- Credibility #1: Knowing your name.
- Credibility #2: Knowing what department you work in or interact with.
- Credibility #3: Basic knowledge of your technology usage (to impersonate a vendor).
- Credibility #4: Knowledge of personal and/or professional relationships to impersonate mutual friends or colleagues.
- Credibility #5: Incorporating environmental sound clips to enforce life-like situations; e.g., playing the sound of a crying child in the background of a phone call.
To do this, the social engineer will gather as much information as they need about your life, behavior, and interactions. This is known as Open-Source Intelligence. They may choose to use a tool like Maltego to develop a database of information that correlates to you. Look at this tactic as a game of “connect the dots,” but each dot represents some sort of information about your life.
2) Psychological Influences
We naturally pay attention to a few key details when someone first interacts with us. Using some caution will help us determine whether we can trust this new person. In doing so, we might ask ourselves:
- Does it make sense for this person to reach out to me?
- Does this person behave in a trustworthy manner?
- Does this person have authority?
- Does this person truly understand the topic we’re discussing?
Generally, the answers to these questions help us flesh out the eight characteristics (depicted in the graphic below) that feed into the psychological influence others have on us:
- Consistency
- Authority
- Obligation
- Social Proof
- Liking
- Commitment
- Concession
- Scarcity
Social engineers can work surprisingly hard at improving their “scores” in each of these areas, thus making their target more vulnerable to manipulation. They do this through trial and error. The social engineer needs confidence in each psychological influence characteristic they choose. For example, if they choose to manipulate via authority, then they should be aware of the type of authority their victim expects.
3) Rapport
Rapport represents a close and harmonious relationship that features agreeable communication, feelings, and ideas. For a social engineer, building rapport with a target requires the successful utilization of multiple factors:
- Validation
- Asking questions
- Time constraint
- Employing sympathy
- Quid pro quo
- Slow speech
- Ego suspension
These factors aid in the development of this false relationship by creating a sense of comfort and harmony. An actor might employ sympathy by expressing a need for the target’s help as they face a family emergency, or they might call on quid pro quo to subtly pressure the target into “returning a favor.” The goal is to establish some human connection and a “you scratch my back, I’ll scratch yours” bond between the social engineer and his or her target.
Putting it all together:
As an example of how these strategies play out in real life, let’s look at an interesting social engineering attack that happened in October 2019. Take a minute to read through that Twitter thread for the full story.
As you read about this interaction, notice the social engineer building the proper pretext, general rapport awareness, and the psychological influences we’ve discussed here. Also notice how, once the attacker started establishing trust with the victim, the victim was beginning to provide the attacker more and more information. Fortunately, as the victim became more aware of what was really happening toward the end of the conversation, this incident was stopped before it could continue to escalate.
Defending Against Social Engineering with Security Awareness
The most common types of social engineering attacks range from email to in-person to phone conversations. Having various methods of communication increases the likelihood of success for the social engineer. This is why it is of the utmost importance that you remain vigilant when accepting any type of message.
- Email: A social engineer will develop a specifically structured email to deceive the recipient into providing information, opening an attachment, and/or clicking links. If anything does not appear correct in an email, or you receive it unexpectedly, directly report it to your employer. If you receive an email on a personal account, call the company the sender claims to represent by searching for their proper customer service phone number, and discuss the email that you received.
- In-Person: Sometimes, threat actors will pose as employees or vendors in hopes to gain access to secured locations or information. In a business environment, encourage proper badge-ins at all entry points—no tailgating! If you see someone behaving abnormally or attempting to access a private location without proper authority, immediately report it to a supervisor or building security.
- Phone (Voice): If you receive an unexpected phone call, verify and ask for the caller’s name, company, and callback phone number. In many cases, the social engineer is using a spoofed number that cannot be reached directly. If the social engineer is unprepared to answer these questions, they may abruptly end the call. Regardless, you should never give personal information over the phone.
- Phone (Text): Similarly to email correspondence, the social engineer will attempt to have you download, visit, or call malicious sources. These texts may simulate a sense of urgency to ensure you participate without a thorough analysis of the context. Again, direct communication with the support team of the supposed company can verify the legitimacy of the message.
What to Do If You Encounter a Social Engineer
Please be cautious in revealing information about yourself or your employer. If an unfamiliar face approaches or interacts with you, do not hesitate to go to a trusted source—such as your manager—to verify the legitimacy of that person and the reason they offered for speaking with you. If you receive emails, calls, or texts that request detailed interactions or information, please reach out to the appropriate company and verify the sender.
Overall: Slow down, do appropriate research, be aware, reach out for help, and be safe.
Elias Abouzeid was a member of the Calder7 team at Relativity.