A large firm’s receptionist receives a phone call. On the other end of the line, a rather anxious young woman tells her a story. A few hours ago, she has had to leave home in an emergency because her son has fallen ill and they are now at the hospital waiting to be seen. The receptionist is worried because she is also a mother, although as yet she does not really know the identity of the caller or why she is phoning.
The receptionist is worried because she is also a mother, although as yet she does not really know the identity of the caller or why she is phoning. The anxious young woman says her name is Maribel, the secretary at Influences Corporation, one of the firm’s well-known clients. Today, Maribel’s boss asked her, without fail, to send a quote to the chief accountant of the company she is calling, although in the rush she left behind her laptop where this person’s e-mail is stored. She has got a copy of the file containing the quote in her mobile phone, but she does not have the e-mail address.
The young woman says she will probably get fired, as, on account of her son’s illness, she has had to miss work several times and that it is very difficult to balance caring for her son with a high responsibility job such as hers. Obviously, she does not want to call her boss to tell him that she is useless or that, on top of everything, she has taken time off work so, in her desperation, she has decided to call there in case someone could give her the e-mail of the head of the accounting department.
The receptionist hits a few keys and after a couple of seconds asks her to jot down the e-mail address. In between sobs, the young woman thanks her and hangs up.
A few days later, the chief accountant’s e-mail is hacked and the firm is ripped off for thousands of euros.
It is quite likely that, sooner or later, a good hacker could have gotten his hands on the chief accountant’s e-mail account, but why go to such lengths to hack a system if we can just call the receptionist? We human beings are a lot more accessible and ‘hackable’ than any system or machine.
Social engineering has proven to be one of the most powerful, friendly, low-cost hacking techniques that can be deployed.
In fact, it is a technique that was used way before any machine or even hacking existed. It basically consists in obtaining information from other people in order to achieve something.
That something may be gaining access to bank accounts, a password or a chief accountant’s e-mail. Sometimes, extracting that information requires influencing or misleading someone else or, on occasions, simply watching which keys they hit when writing their password or glancing at the post-it stuck to the screen where the system login password is noted down.
This latter approach may seem less ‘glamorous’ than a hacking technique, but it is surprising how much can be learned just from keeping a watchful eye. Much in the same way as spies can come by more intelligence merely by standing at the bar of a pub rather than spending hours and hours interrogating someone, sometimes social engineering can get hold of very valuable information simply by retrieving from a company’s wastepaper bin bits of paper that are thrown away or pieces whose reverse side is used to prevent wastage. It would not occur to anyone to leave a client list lying around, but if we have made too many copies, we might recycle them and use them to write down orders that we then inadvertently leave behind next to the coffee machine.
But, as we are in ‘glamorous’ mode, we are now going to analyze in greater depth the main approach to social engineering, the one that uses specific psychological techniques and social skills to get hold of information. As mentioned earlier, this may entail some deceit or… not that much, in fact. Let’s imagine the case of the young woman who called the firm’s receptionist if her story had been true. Either way, she would have gotten her hands on the ‘confidential’ information and would have used it to mail the quote and save her job. In that case, there is no deceit at all. Social engineering is precisely that, obtaining information, whatever it is used for later on.
For starters, in order to understand what social engineering is, let’s consider two very simple yet basic elements.
The first of these is the fact that human beings are social animals, they live in groups and they develop in groups. The human species would not have achieved what it has if there were no cooperation between its members, if they had not worked in a group and driven group synergy. This means that people are willing to cooperate, to share; it forms part of our DNA.
The second element is something proper to human beings, language. Our ability to communicate with each other through language has enabled us to develop enormously. Conveying knowledge through communication allows us to learn without having to experiment and this, as occurs in social engineering, saves us a lot of time.
These two elements are the cornerstone for carrying out social engineering. Now all that remains to be done is to analyze in depth the psychological strategies with which we are going to influence others so that we can lay our hands on the information, the ‘brain hacking’ techniques.
We cannot do this without referring to Cialdini, a psychologist who engaged in researching vehicle sale businesses, sales reps and telemarketing workers in order to find out how these employees succeeded in convincing and persuading customers and buyers.
Such convincing is primarily achieved through communication. Via a persuasive message, we can get someone to behave how we want them to, to buy a car, to make a donation to an NGO or to share their passcodes with us so that we can carry out transactions using their online banking.
Persuasion pursues a goal and is valuable in the sense that we have been persuasive if, in the end, we manage to get the other person to do what we want them to. To cite Aristotle, we are persuasive if we succeed in getting someone to do something they would not otherwise do if we just asked them to do it. To put it another way, persuasion means mobilizing the other person, making them act.
According to Cialdini, there are 6 principles that guide the persuasion process:
This principle is based on the cooperation we mentioned earlier and consists in the fact that people usually treat others in the same way as they themselves are treated. If we receive a gift from someone, from a brand or from a company, we feel the need to give one back in return, by buying one of that brand’s products or by being a good employee.
If we receive an e-mail offering us a discount on some purchases in exchange for sharing information, we feel indebted to the sender for this reward and, as a consequence, we are very likely to tell them our phone number uncomplainingly.
In this case, we are more inclined to let ourselves be influenced by someone of recognized standing, success or authority. It is not that George Clooney coerces, contrives or forces us to buy a Nespresso, it is just that his position as a famous actor exudes credibility. If HE likes it, it must be good.
If we receive an e-mail from our bank manager saying that our account has been frozen and we need to log in with our passwords, this generates more trust in us to do it without giving it a second thought.
According to this principle, we accept more readily things that are consistent with our way of acting or thinking. We feel at ease when we behave how we think we should behave, when we are undeviating and true to type.
One day, we receive an e-mail from our bank congratulating us on being a responsible customer with regard to our bank account security. According to an in-house survey conducted by the bank, our account has been singled out as having a high security level and we have been recognized as a committed, reliable customer.
A few days later, another e-mail advises us to update our login passwords to our online banking. In order to do this, we have to click on a link and create a new username and password. Needless to say, we will act in keeping with our ‘super-secure customer’ profile and fall for the phishing bait.
We are always willing to obtain or take an interest in something that is scarce or difficult to access. We afford great value to anything that we believe is unique or ‘one-of-a-kind’. That is why we like exclusive offers that are ‘valid while stocks last’. This also explains our receptiveness when we have been selected as one of the only 5 users who can download the latest version of our favorite game. It might be a Trojan, but we only focus on being one of the lucky five.
This consists in adapting to the majority opinion, accepting or rejecting something on the basis of what other people think. As we mentioned at the beginning, we are social, cooperative animals so we let ourselves be swayed by what the group thinks. This is what makes us buy products others have a high opinion of, even though we may not really be sure that they are what we are looking for.
If we receive news and messages against a specific political party, they might influence our vote in upcoming elections.
This principle consists in the attraction, fondness or affinity we feel for other people. We are more ready and willing to buy a card if it is sold to us by an attractive sales rep or to follow a relative’s advice. This explains why our receptionist gave out the chief accountant’s e-mail. She empathized with the girl and her problems, thus allowing herself to be persuaded to share this information that would never have left her lips if not for the persuasive message.
Cybersecurity has to recognize these strategies, although it must be said that it is difficult to fight against social engineering as a hacking tool, as this means fighting against our very essence, against the ways of thinking or behaving that are proper to human beings. The only thing left for us to do is to be aware that our brain can also be hacked and that it needs our specific antivirus or firewall.
We must not forget that people are cybersecurity’s weakest link.