How to Spot a Social Engineer
When thinking about cybersecurity and hackers, most people focus on the technological side of hacking where attackers take advantage of vulnerabilities in computer systems to gain unauthorized access. However, this is only one avenue for hackers to get what they want. Instead of focusing on weaknesses in computer systems, social engineers take advantage of susceptibility in human behavior and people’s default reactions to certain situations.
If you’ve ever gotten a scam call on your phone, you’ve been a target of a social engineer. Once you answer the phone, the caller will do anything that they can to keep you on the line and convince you to do whatever it is they want. Telemarketers are just another type of social engineer, trying to convince you to buy whatever they’re selling. Unfortunately, there are social engineers with more sinister motivations than the run-of-the-mill telemarketer.
The fact that social engineers take advantage of human biases or default reactions can make them difficult to spot. However, social engineers typically use one of a few sets of tactics, so being aware of these makes it easier to catch them in the act.
Social Engineering Techniques
One of the lessons that most people have built into them from childhood is a respect for authority. As a child, you’re expected to obey instructions from authority figures including parents, teachers, law enforcement, and maybe any elders. As adults, this transforms to obeying those in positions of power at work, in government, etc. As a result, many people instinctively obey a request that they believe comes from someone in an authority position.
Social engineers know about this impulse to obey authority and take advantage of it to influence people. This typically comes in one of two forms. In the easier, the attacker will drop names of authority figures and either state that a request comes from that person or using their implied relationship with the authority figure to give themselves an air of authority.
For example, a social engineer may say something like, “I was having lunch with Mr. Smith yesterday and he wanted me to put together a briefing for him. Could you give me a list of the company IT department employees so that I can get some data from them?”
By invoking the name of someone in authority and implying that they authorized a request, the social engineer gets access to a list of the employees who control the organization’s cybersecurity.
Have you ever heard the sayings “dress to impress” or “clothes make the man”? Many social engineers take these to heart. By dressing and acting like someone in authority, social engineers can make people believe that they have power. Sometimes a suit and tie and some confidence are all that a social engineer needs to get what they want.
Most of social engineering is about making an odd request seem reasonable. You wouldn’t give an employee roster to anyone who walked in off the street, but you probably would hand it right over if the requester was the CEO’s personal assistant, right? Some social engineers will go right out and say, “I know this is an odd request, but…”. By acknowledging the oddness of the request, social engineers both put themselves in sync with what their target may be thinking and set themselves up to give a reason why their request is perfectly reasonable under the circumstances. If a request seems odd, it’s probably best to verify that the requester is authorized to make it.
Promising a Callback
“I’ll call you” (says every first date ever). If someone on the phone refuses to leave a callback number and says that they’ll call you instead, it may be cause for suspicion. Spoofing a phone number during a call is fairly easy, making it possible for a social engineer to appear to be calling from a trusted phone number. However, if you try to call that number back later, it will go to the legitimate owner (who will have no idea what you’re talking about). Instead of trying to explain why you need to call them back on a different number, many social engineers will just promise to call back at a convenient time, allowing them to continue to pretend to be calling from their trusted number.
Humans have an instinctive desire not to be “in debt” to someone else. If someone does them a favor, they instinctively try to do something back to return to equal footing.
Social engineers take advantage of this instinct by playing both sides of the favors game. A social engineer may create or seek out a situation where they are able to do a favor for their target. While the target is feeling a sense of gratitude, they can make a request and have a higher chance of the person agreeing.
On the flip side, social engineers may also phrase a request in terms of their target doing a favor for them. This could appeal either to the target’s sense of kindness (helping someone in need) or greed (storing up a favor to be called in later). Either way, the target may be more likely to fulfill the social engineer’s request than if it was phrased as a straightforward appeal or demand.
In business situations, most people try to maintain an air of professionalism. This means that most people are unaccustomed to dealing with emotions in their business lives. This is another thing that social engineers take advantage of in both directions.
One tactic that a social engineer can use is to intentionally create a situation that causes them distress or embarrassment. If the target witnesses a situation like that, they’re much more likely to take the actions necessary to relieve their distress. Using emotion, social engineers can get past people’s mental defenses and get what they want.
On the flip side, social engineers can also create emotions in others to throw them off their guard. By creating a sense of urgency, fear, greed, or some other emotion, a social engineer can motivate others to do what they want.
Protecting Yourself Against Social Engineers
The most powerful tool that social engineers have at their disposal is ignorance. Social engineers take advantage of instinctive human behaviors and reaction to achieve their goals.
The best defense against social engineering is education and vigil self-awareness. If your gut is telling you that something seems off or that you’re being manipulated, listen to it. If you’re faced with an unusual request or situation, consider whether it makes sense and check if the user is authorized to make the request. Taking the extra step to consider your actions and verify the legitimacy of requests can protect you and your organization against cyber attacks.
Sword & Shield offers a number of services to combat social engineering by testing and educating your team members. These include our social engineering services, our subscription-based phishing as a service, and security awareness training. Contact us today to start working on a customized package for your organization.