5 Ways Social Engineers Crack Into Human Beings
These common human traits are the basic ingredients in the con-man's recipe for trickery.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt32b132c7c50fff1c/64f0d30447a6e3f3a3e342b3/1_SE_SS.jpg?width=700&auto=webp&quality=80&disable=upscale)
Social engineers use psychological manipulation to trick human beings into divulging sensitive information that can then be used to break into systems. SE scams also prompt people to take an action (like click on a bad link) that can infect a machine and allow a criminal to get in and start stealing data.
These attacks can take place human to human. ("Hello, this is IT. Your computer is infected and I need your password.") Or through email and social media, for example a phishing email that informs you your PayPal account is suspended.
But there are certain intrinsic qualities most humans possess that social engineers exploit in order to pull off their attacks. And knowing how they do it might help us better guard against exploits. Dark Reading spoke to social engineering experts for a breakdown of these traits – and what happens when an SE finds a way to "break in" to human beings.
"Social Engineers use specific strategies for establishing trust and familiarity, often referred to as 'pretexting,'" says Margaret Cunningham, principal research scientist for human behavior with Forcepoint X-Labs. "Once they've established rapport and a positive first impression with their target, it is much easier to successfully request information or access to sensitive personal or organizational assets."
Once trust is established, SEs manage to pull information out of their target they might not otherwise disclose. Why does exploiting trust work on us?
Chris Hadnagy, founder and CEO of Social-Engineer, references a book called The Moral Molecule by Dr. Paul Zak, which examines how trust impacts a "feel good" chemical called oxytocin in the brain.
"Dr. Zak found that when you make someone you feel trusted it releases this chemical and the brain attaches that feeling to the object that helped release it. It is not controllable unless trust is broken."
Example:
Victor Lustwig is one of the world's most notorious conmen. He "sold" the Eiffel tower a number of times, said Hadnagy.
"He shared a 'top secret' message with some very wealthy people," said Hadnagy.
The ruse worked by claiming the monument was being scrapped and the metal would be worth millions.
Lustig "made them feel a rapport and trust with him and they parted with their money," says Hadnagy.
(image by Prostock_studio, via Adobe Stock)
"We all have a desire to be helpful and viewed as friendly," says Hadnagy. "It is built into us. Mix that with the world we live in now; people are isolated, alone, depressed. Now even a little kindness can go a long way to making a human connection."
Cunningham says SEs make the target feel as if they are doing something altruistic.
"Sympathy can be a powerful behavioral motivator for highly agreeable people, and SEs know that their storylines can be powerful tools for garnering sympathy."
SEs often deploy emotional tactics to build intense sympathetic responses in their targets, including tactics like playing recordings of babies crying.
Example:
"We are seeing a lot of this on LinkedIn impersonation attacks," says Hadnagy. "The type of attack where someone is asking for help with a report, as a reporter or as a student. We also see people asking for help with getting a job. Often these are attackers using this to gather intel on target companies so they know how to further attacks."
(image by krakenimages, via Adobe Stock)
"Fear is one of the largest motivators in SE," says Hadnagy. "Fear is handled and processed by the amygdala, as are all emotions before the rest of the brain takes over. When the amygdala is hijacked there is no other processing in the brain - which means decisions will be made with emotion and not logic. Many a bad decision in human history, as well as in my own history, has been made in this state."
Example:
"Recent phishing tactics have capitalized on COVID-19," says Cunningham. "These attacks use official-sounding subject lines, reference the government, and vaccine manufacturer names. Knowing that people are worried and emotional about COVID-19, and in many cases very willing or agreeable to signing up for a vaccination appointment, these authoritative phishing emails can be highly effective."
(image by denis_vermenko, via Adobe Stock)
Hadnagy says humans will naturally correct false statements and this is often how SEs exploit honesty.
"If we are driven enough, we will verbally correct a complete stranger, that is how powerful it is," he says. "This principle I mentioned is used by expert human hackers to exploit information from targets."
Example:
Hadnagy says he employs this strategy himself in pen tests and engagements. "I get birth dates and Social Security numbers from strangers by using this. Simply stating something like:
'I see you are so organized. You must be born in September, right?'
'Um, no, I was born on October.'
'Oh, wait not the 31st on Halloween?'
'No, the 13th.'
'Ok, cool.'
"Now in a matter of a few seconds I obtained their DOB. People want to be honest and they want to also have truthful information out there."
Hadnagy says humans will naturally correct false statements and this is often how SEs exploit honesty.
"If we are driven enough, we will verbally correct a complete stranger, that is how powerful it is," he says. "This principle I mentioned is used by expert human hackers to exploit information from targets."
Example:
Hadnagy says he employs this strategy himself in pen tests and engagements. "I get birth dates and Social Security numbers from strangers by using this. Simply stating something like:
'I see you are so organized. You must be born in September, right?'
'Um, no, I was born on October.'
'Oh, wait not the 31st on Halloween?'
'No, the 13th.'
'Ok, cool.'
"Now in a matter of a few seconds I obtained their DOB. People want to be honest and they want to also have truthful information out there."
Social engineers use psychological manipulation to trick human beings into divulging sensitive information that can then be used to break into systems. SE scams also prompt people to take an action (like click on a bad link) that can infect a machine and allow a criminal to get in and start stealing data.
These attacks can take place human to human. ("Hello, this is IT. Your computer is infected and I need your password.") Or through email and social media, for example a phishing email that informs you your PayPal account is suspended.
But there are certain intrinsic qualities most humans possess that social engineers exploit in order to pull off their attacks. And knowing how they do it might help us better guard against exploits. Dark Reading spoke to social engineering experts for a breakdown of these traits – and what happens when an SE finds a way to "break in" to human beings.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024