Why Social Engineering Works? The Psychology Behind Hackers
We often tell our people the human is the last line of defense in the constantly changing world of cybersecurity. However, the human is often the easiest defense layer to bypass and that’s why hackers spend significant time focusing on social engineering.
In the 1980s, a behavioral psychologist by the name of Robert Cialdini proposed a concept called the Theory of Influence in his book Influence: The Psychology of Persuasion. His theory states that influence over others is created in the following major ways:
- Authority: People don’t like being uncertain. We naturally look for and follow authority figures.
- Commitment: People like to maintain consistent behavior.
- Concession: Concessions are used often within the Social Engineering context as a play on the reciprocation instinct of humans.
- Liking: We listen to people who we like.
- Obligation: One feels they need to act due to some sort of social, legal, or moral requirement, duty, contract, or promise.
- Reciprocity: People don’t like to feel indebted to others.
- Scarcity: People are more likely to want things that they believe are in limited supply, are exclusive, or that are not always available.
- Unity: We gravitate toward people who we identify as being like us.
Here are some common examples of how these mechanisms can be exploited:
- Authority could be a spoofed email from the company CEO asking the CFO to wire money or make a financial transaction of some sort.
- Liking is often used to charm a customer service representative or receptionist – simply being nice, relatable, and courteous can often crack the door open for an exploit. Once the person likes you, they may be obligated to provide an answer to a question they normally wouldn’t answer.
- Reciprocity has many forms, one of the easiest examples if providing your email and contact information for some “free” item, service, white paper, etc. This begins the pattern of data harvesting that hackers often use to gain insight about your organization, email formats, internal phone numbers, etc.
So, what can you do to combat social engineering? In my opinion, it starts with awareness and a little dash of paranoia. In these times, we need to constantly be examining and questioning our interactions with people, websites and social media to make sure we are engaging in a way that does not compromise information, access or objects.
For cybersecurity tips related to your organization, contact a member of the ‘A’ Team today.
- 5 Simple Tips For Organizations To Prevent Cyber-Attacks
- Top 5 Cybersecurity Risks Every Business Leader Needs to Know
- Two Myths and Ten Cyber Security Tips
- Grandma's on Facebook!
ABOUT THE AUTHOR