{"id":77368,"date":"2015-06-30T21:25:01","date_gmt":"2015-07-01T01:25:01","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-08-18T15:42:21","modified_gmt":"2021-08-18T19:42:21","slug":"how-social-engineering-works","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/how-social-engineering-works\/","title":{"rendered":"How Social Engineering Works"},"content":{"rendered":"

From where I sit in my Bach Seat<\/a>, it is\"How<\/a> clear that cyber-attackers will try<\/a> anything<\/a> to penetrate your online security. They will even exploit human nature<\/a> to get access to a firm’s digital assets<\/a>. In the human world, people who exploit human nature<\/strong> are often called politicians, con-men<\/a>, or grifters. In the digital domain, we call it\u00a0social engineering<\/a><\/strong>. Most online attackers<\/strong> use some sort of social engineering to get users to do something risky.<\/p>\n

Social engineering psychological tricks<\/h3>\n

Here is a list of 6 psychological tricks<\/strong> that social engineers use to trick staff.<\/p>\n

\"\"<\/a>1- Reciprocation –<\/strong>\u00a0When people are provided with something, they tend to feel obligated and then repay the favor.<\/p>\n

2 – Scarcity<\/strong> – People tend to comply when they believe something is in short supply. As an example, consider a spoof email<\/a> claiming to be from a bank asking the user to comply with a request or else have their account disabled within 24 hours.<\/p>\n

3 – Consistency<\/strong> – \u00a0Once targets have promised to do something, they usually stick to their promises because people do not wish to appear untrustworthy or unreliable. For example, a hacker posing as a company\u2019s IT team could have an employee agree to abide by all security processes, then ask them to do a suspicious task supposedly in line with security requirements.<\/p>\n

4 – Liking<\/strong> – Targets are more likely to comply when the social engineer<\/a> is someone they like. A hacker could use charm via the phone or online to win over an unsuspecting victim.<\/p>\n

\"stick<\/a>5 – Authority<\/strong> – People tend to comply when a request comes from a figure of authority. So a targeted email to the finance team that appears to come from the CEO or company president will likely prove effective.<\/p>\n

6 –\u00a0Social validation<\/a> –\u00a0<\/strong>People tend to comply when others are doing the same thing. For example, a phishing email might look as if it\u2019s sent to a group of employees, which makes each employee believe the message must be valid if other colleagues also received it.<\/p>\n

Conditioned to click<\/h3>\n

An article at Help Net Security<\/a><\/em> Proofpoint<\/a> argues that humans are psychologically conditioned<\/strong> (rb- Remember Pavlov’s dogs<\/a> from Pysch 101?<\/em>)\u00a0to click on links<\/strong>. Cyber-criminals leverage this conditioning by designing phishing emails\u00a0most likely to trigger your automatic click response.<\/p>\n

\"\"<\/a>Proofpoint says that social engineering emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department typically expects a <2% click rate on their advertising campaigns.<\/p>\n

Steps to protect against social engineering<\/h3>\n

They offer the following suggestions to protect against social engineering<\/strong> phishing emails:<\/p>\n

    \n
  1. Understand that you are not being targeted specifically, you and your machine are just collateral damage<\/strong>.<\/li>\n
  2. Upgrade your computer from Windows XP<\/strong> (as Microsoft is no longer providing security updates to the OS) or disconnect it from the internet \u2013 it\u2019s that dangerous.<\/li>\n
  3. Don\u2019t use simple predictable passwords<\/strong> that are easy to crack.<\/li>\n<\/ol>\n

    Businesses need to:<\/p>\n

      \n
    1. Put in place layered security<\/strong> to provide an in-depth defense against the latest attacks and malware.<\/li>\n
    2. Run awareness campaigns<\/strong> with your staff telling them not to click on links within social networking emails such as LinkedIn invitations. They should instead open their browser or app, log in, and manage their invites\/messages from there.<\/li>\n
    3. Deploy new technologies that combine big data security analytics with advanced malware analysis.<\/strong> These technologies provide predictive and click-time defense, end-to-end attack campaign insight. They also offer automated incident containment capabilities through connectors to your existing security layers.<\/li>\n<\/ol>\n
      Related articles<\/h6>\n