Hacking as portrayed in movies often features a socially awkward man thrashing away at a keyboard in a poorly lit basement, as computers flicker among chaotically arranged cables.
In reality, this is far from the truth. Our natural distrust of computing systems has led us to engineer them in a way that allows humans to override security functions, or have control way beyond what is necessary.
Organizations, especially large and well established ones, have struggled to fully incorporate the computer into their workflow. As a result many critical operations are still overseen by people. This makes it unattractive for attackers to target the machine, as the machine can be over-ruled. Hackers, therefore, will go for the leader of the operation: the human.
Hackers who wish to manipulate people require extensive knowledge of social engineering. These manipulators, or ‘social engineers’, might be after a variety of different things. It’s likely a hacker targeting people is only interested in increasing their quality of life – be it through a free flight upgrade, or perhaps a complimentary dessert at the diner.
There are some, however, who might be after your private information, or they may seek access to accounts you control.
Social engineers may work together as part of a criminal gang in order to complete large scale hacks, such as a Business Email Compromise.
A Business Email Compromise is a tactic that often involves no compromise of any computer system, but relies primarily on heavy research and social engineering.
A group of social engineers will work together to trick employees into making wire transfers to foreign bank accounts. Between October, 2013 and August, 2015, the FBI reported 7,066 US victims of this scam – with an overall loss of almost 750 million USD.
Understanding the tools at the disposal of a social engineer and how these tools target our psyche can help us counter such attacks.
Research: There is more information about you online than you think
A social engineer will do thorough research before speaking with you. We often forget how much information exists about us online, be it information released by our government (such as voting records) or information released by ourselves (LinkedIn, Facebook, Twitter, etc.).
Having confidential information about you will allow a social engineer to trick you into believing they are authorized to gather more information from you. The attacker may even use the information to pose as a representative from a company you deal with. The information the attacker has might come from a variety of public sources, or even be obtained by literally digging through your trash.
Pretexting: Making up a reason to talk to you
Armed with your name, address, and account number with the local telecommunications company (information that can easily be found in your trash), an attacker can easily create a pretext to call you. It could be in the guise of an annual inspection, or perhaps a follow-up to an earlier call.
After asserting themselves as a legitimate representative of the telecommunications provider, the attacker can ask for more information, or even get you to run some compromised software on your computer. Whatever the attacker’s end goal is, having a pretext to call you is like getting a foot into the door – often literally.
Elicitation: We tell strangers a lot more about us than we probably should
Elicitation is the technique of gathering information from people by interviewing them. Often the interviewer has a specific goal in mind and the interviewee is unaware they are being interviewed
To elicit means to gather data and the term is used in anthropology, sociology, consultancy, and many other fields. Elicitation is used by intelligence agencies as part of their “Human Intelligence” or HUMINT programs.
Elicitation requires research and may involve pretexting. The social engineer will likely ask intelligent open questions that trigger a response from the interviewee. The answers to these questions will show what the interviewee is thinking and what they care about. An attacker may even ascertain the interviewee’s sense of humor.
There are neutral questions designed to calm down the interview subject and make them more comfortable with the situation. Questions such as “how is the weather?”, and “stuck in traffic again?” are designed to calm and lead to a topic of interest, such as: “the boss is leaving for a big trip tomorrow, right?”
The goal is to gather as much information as possible. This might be very specific information, such as passwords, or more vague information, like whether the company has a dedicated cyber crime specialist.
Asserting Authority Or Appealing To Kindness
Not every individual is equally receptive to claims of either authority or kindness – but most people are receptive to one of the approaches.
Elicitation is used to read the target’s character and ascertain whether an attacker should approach the target with an authoritative or kindly approach.
Appealing to Authority
An attacker will pose as someone in a position of authority.. This persona might be an existing authority within the company that is being subjected to the attack, or a trusted one from outside of the company. Emails from fake law enforcement agencies or calls from courts fall under the latter category.
To appeal to a (false) authority can be particularly successful in organizations that rely on authority themselves. Failure to implement strong counter-measures for instances in which this authority can be abused could lead to an attack. Organizations also often rely on hiring individuals susceptible to control by authorities, as they are deemed loyal and controllable.
Appealing to Kindness
Other individuals and organizations are easier to influence through kindness. It is natural for us to be influenced by things that we like. A social engineer will try to exploit this instinct. If the attacker has elicited sufficient information in an interview, it is easy for them to create a character that has the charm and attributes that will make us go out of our way to help them.
This attack can be irksome to defend against – being nice and helpful is not something we want to sanction people for. Though it is important to make clear what information we want to be shared and who has access to which documents, rooms, or funds.
Diversion: Sending Things Were They Don’t Belong
Diversion might refer to the diversion of emails, packages, or money transfers. Diversion might be the intention of the hack or it might just be a means to a goal.
An attempt to divert might be a phone call asking to change the contact details of a client. Or it could come in the form of an email from a private address of a colleague, in which documents are requested.
It can be difficult to assess the true identities of those behind emails and phone calls, but it’s important to have steps in place that allow you to verify the identities of non face-to-face communications – perhaps by setting up secure channels.
Baiting: Not Everything You Find Was Lost
Given how computers work and what they defend against, malicious programs are far easier to execute when run from a CD-ROM or USB stick. Instead of delivering viruses and trojans via the internet, the tactic of baiting often relies on physical storage mediums.
Humans are curious beings. If we find a USB stick left by our car or desk, we might want to plug it into our computer to see what’s on it. This is obviously a bad idea, but drives with malware can also come in the mail, personally addressed to you – so it’s important to remain vigilant.
Phishing: Just Because Your Key Fits Doesn’t Mean You’re At The Right Door
We all know that passwords are supposed to be kept secret. On the other hand we have to type them into websites all the time. A phishing attack comes in the form of an email or link that directs you to a website that looks legitimate, but in reality impersonates another website that will attempt to harvest our passwords and other private details.
We always need to be aware of the passwords we are using, and double-check we are entering them on the correct sites. Password managers can help with this.
Phishing attacks are not just limited to emails, they can also come via phone calls or even in person.
Playing With Your Associations: Did They Really Say That?
Our brains often take shortcuts, and usually this works fine. When we’re on the phone we take clues from a person’s voice, their words, the time of the call, and the setting to determine what is happening and who we are talking to. When something goes wrong, it is usually a only small embarrassment at best.
However, this characteristic of our brain can be specifically exploited. Using the right setting and ambiguity we can be tricked into thinking we are speaking to someone who we are not. For example, an attacker might mimic someone you are less familiar with, such as a long lost friend or a work colleague from around the globe.
When authenticating people we might also fall victim to hearing answers where there are none. Using the ‘mumbling’ technique, an attacker will simply mumble something instead of clearly stating their credentials, in the hope that we will let it pass.
This might lead us to reveal information to attackers that we would not usually reveal, or give someone access to a place they shouldn’t be. Especially in professional situations, we shouldn’t be embarrassed to ask who is on the phone and exactly what is being asked from us. Don’t be afraid to ask for credentials, even from a boss.
Impulsiveness: Don’t Make Decisions Under Pressure
We don’t always make good decisions under pressure. An attacker could create a false sense of urgency or scarcity, together with suggestive questions, to trick us into making the wrong decision.
Security procedures, in particular, should not be skipped or jumped during times of emergency. If a security procedure does not make sense in a certain situation, then it might need revision in the future. It is almost always better to follow, then blame, existing security procedures for failing to fix a problem than to blame ourselves for failing to implement standing security procedures.
Similar is true when it comes to the impulsiveness, and fear that is inside all humans. Take a step back to review an extraordinary situation. Is it too good/bad to be true? What steps are usually necessary in this instance? Who else can be consulted? Can it wait for a second opinion?
As hacking does not always include computers, computer knowledge alone does not prevent you from getting hacked. Security requires a holistic approach that includes not just the IT infrastructure, but every individual that has access to sensitive information, funds, or access.
Keep yourself informed about the tactics used in attacks and be aware of what you share and who you share it with.
Arthur Baxter is an Operations Network Analyst at ExpressVPN, a leading privacy advocate whose core mission is to make it easy for everyone to use the Internet with security, privacy, and freedom. They offer 100+ VPN server locations in 78 countries.