The psychology behind social engineering
Blog by Diana Selck-Paulsson, Threat Research Analyst/TDMC SecureLink
What makes individuals comply with malicious requests? Are there human traits that might be especially receptive to the art of social engineering? Research has found a number of characteristics making some more prone to falling for social engineering. Some behavioural patterns may be more hardwired in our brains than others. For example, finding a USB flash drive lying on the floor near the entrance of an organisation might trigger either the victim’s curiosity, or the urge to return it to its owner out of the desire to please or moral duty.
Courteous or careless?
Another example of this is tailgating. Tailgating is when a social engineer follows someone while the door is still open and thus overcomes the first obstacle of physical access control, be it through a door badge, a PIN code or other means of access control. Most individuals believe holding a door open for someone is common courtesy. A social engineer simply needs to exploit this human vulnerability to achieve physical access to a target or at least overcome the first physical hurdle.
Want to test how far attackers can get?
Check out our SecureInsight services. Pentesting, Red Teaming, infiltration, phishing campaigns… Can we get to your crown jewels?
Another behavioral pattern that ensuring compliance with a malicious request relates to building relationships. This is an attack requiring, thereby making the victim more likely to trust the attacker when interacting in a positive way. Another human vulnerability that may be exploited is availability: when there is a limited amount of time to make a decision. The availability trigger results in the victim reacting quickly without considering possible risks.
This is how I was taught..
Similar to the tailgating example, there are other behavioural traits that might convince an individual to agree to certain requests if he or she thinks that this is something expected of him or her. Again, this may be returning the media storage to its rightful owner, holding a door open for someone, or assisting someone by providing sensitive information in order to solve a problem.
If an individual hesitates to comply with a certain scenario, an authoritative figure might remove any doubts. An individual is less likely to question a request received from an authoritative figure. A social engineer leverages this vulnerability disguising him or herself as an authoritative figure such as a manager or even CEO.
The initial level of trust
Another human trait associated with successful social engineering attempts is an individual’s initial level of trust. Individuals displaying greater trust levels are more likely to be manipulated will exhibit a lower social engineering resilience. Resilience can be defined as the ability to cope with a certain situation, such as an attack, by using one’s own social resources to resolve a situation. With a low social engineering resilience, a victim has insufficient resources or skills to withdraw from the situation.
Aside from manipulation techniques, victims may also be unaware of the value and sensitivity of the information being requested. How could information about a supplier, like a cleaning company, be harmful?