Beyond the firewall: How social engineers use psychology to compromise organizational cybersecurity

A Social engineering attack is the process of exploiting weaknesses in human psychology to manipulate and persuade others to perform in a way that is harmful. Prior to the digital age, criminals would carry out these attacks in person, in what was known as a confidence game.  The perpetrators were referred to a “con men”, regardless of their gender. 

In the cybersecurity realm, these attacks are carried out to gain access and compromise systems, obtain valuable data, tarnish the company`s reputation, or execute a destructive action from someone else. Social engineering is used mostly to circumvent security controls such as firewalls, endpoint detection, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS).

According to a report by Purplesec, cyberattacks employ social engineering 90% of the time, and according to a study on ZDNET, the average organization is targeted by over 700 social engineering attacks each year.

Imagine a scenario of an employee in an organization who receives an email from a subscription service of a known software application used by the organization. The email urges the recipient to log in from the organization`s email system to avoid freezing the account due to inactivity. The email will also provide a link directing to a fake login website. When the employee clicks the link and logs in entering legitimate credentials, the threat actor receives the credentials captured by the fake login page. Now the threat actor can access the company’s systems and confidential data.

This is a classic social engineering scam known as a Business Email Compromise (BEC) attack. The threat actor created a phishing email to generate a sense of urgency to drive the employee to log in without properly checking the email, and through reconnaissance techniques, the threat actor has managed to obtain information about the employee`s email address and the web-based applications that the company uses.

The social engineering attack sequence

A four-step sequence is used for social engineering attacks. Depending on the target, various stages can be repeated to make the attack successful:

1. Information gathering

A huge amount of time is invested in this phase. Verbal communication methods such as phone calls, or written communication can be used to gather information about a targeted organization. In more extreme examples, physical methods such as shoulder surfing, intrusion/role-play, tailgating, and dumpster diving can also be used. Technical methods such as online searches, and utilizing Open-Source Intelligence (OSINT) tools are used to gather information. These methods, known as pretexting can yield valuable information.

2. Establish a relationship and rapport

Maintaining a deceptively harmonious, positive approach with the target by using a couple of factors such as sympathy, validation, quid pro quo, asking questions, and ego suspension are used to establish trust. Sharing personal stories, and providing a sympathetic ear to the target, or using impersonation and authority to get the target to provide information are also common, yet different techniques.

3. Exploitation

The social engineer uses both the information and the relationships to infiltrate the target without raising suspicion while maintaining the gained trust. Examples of successful exploitation include the threat actor being allowed in the facilities, exposure of trade secrets, disclosure of passwords and usernames over the phone, or opening an infected mail attachment.

4. Execution

This is the final stage of the social engineering scam.  If successfully carried out, the attack ends before the target even notices. The target might even assume that they did a positive thing, and further future interactions might continue. Two goals are accomplished at this stage, first, the target doesn`t know an attack took place, and second, the attacker keeps his true identity hidden.

Six major principles of influence

In the book, “Influence: Science and Practice”, psychologist Robert Cialdini identifies Six specific vulnerabilities in human psychology:

1. Reciprocity – This is the feeling of responsibility for repaying a favor. We feel obliged to help the people who helped us. Social engineers use this psychological tactic to manipulate targets into getting what they want.
2. Commitment and consistency – If someone previously committed to an idea or goal, it is more likely that idea or goal will be agreed upon and accepted again. This tactic is used for manipulation. For example, once when someone makes a decision, presumably they stick to it, or can be pressured to act on it again. If a request was made previously, being consistent with it adds validity to the original commitment.
3. Social proof – Also known as the bandwagon effect, people tend to trust based on the actions of others. False evidence of social proof can be provided to influence a person.
4. Liking – People are more likely to be influenced by ideas proposed by people who they like.
5. Authority – People tend to obey authoritative figures who have control or influence over others. Valuable information can be obtained by impersonating someone who has a higher position in the company.
6. Scarcity – This is a psychological vulnerability that creates a sense of urgency to make quick decisions. The value of something increases when it`s rare, available only during a limited time period or in limited quantities. Scarcity influences people to make unintentional decisions.

Five emotions that social engineers use against you

1. Greed – Greed is an intense and selfish desire to acquire something. A phishing email offering free subscription services, discounts, and rewards would lure many unknowingly to harmful actions.
2. Curiosity – The desire and interest to know something is sometimes a vulnerability for social engineers. Messages involving popular or sensitive topics, or links to risqué photos will quickly gain attention from someone.
3. Urgency – Fake security alerts such as urgent bank notifications, virus notifications, account login, and password change notifications will generate a feeling of urgency to make quick decisions without a second thought.
4. Helpfulness – People tend to be more helpful towards others when they are in need, this quality is exploited in ways such as asking for fake donations, assistance, and information.
5. Fear – Fear is among the strongest emotions to raise anxiety. This becomes a powerful manipulator, and the attacks that use fear are more likely to be successful. An urgent bank account compromise notification is a common instance that generates fear in someone, and may cause them to click an infected link to take action to correct the problem.

Cyberattacks tend to be more effective and easier to execute when they rely on human interaction. Rather than using sophisticated cyber-attack methodologies, threat actors can work their way towards compromising systems just from the natural habits, preferences, and personality of an individual.

Various psychological tactics are used against human vulnerabilities to carry out social engineering attacks. Proper awareness, training, strong policies, and procedures will limit the chances of organizational security getting compromised by these attack methods.

About the Author:

Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security. 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.