Social engineering was the topic of the fifth meetup of the Cyber Security Essentials training program. The meetup was held online, which suits the subject pretty well – after all, we encounter a lot of social engineering attempts in the form of phishing and other online scams. This time, the instructors of this free training program organized by Future Female and HelSec were Victor Sant'Anna from Nixu and Riku Juurikko from Elisa. It turned out that social engineering online is super easy. If you learn it too, you'll have better chances of detecting scams.
A deep dive into social engineering
The meetup started with Riku explaining the basics of social engineering. In short, social engineering means influencing and manipulating people into making decisions or acting in a way that they usually would not. This manipulation can come in many shapes and sizes:
- ticking the curiosity of people to open a document that sounds interesting,
- offering excitement in the form of free awards or good bargains, or
- creating a sense of urgency that forces them to act now and pay that bill.
Using people's desire to help and the tendency to trust others can make it easier to trespass or tailgate someone into a building.
Social engineering takes advantage of the following traits of human behavior:
- The tendency to return a favor – you got a gift or someone's trust, how can you now say no?
- Desire to be helpful – maybe they will help you later.
- The tendency to trust – most people are friendly. It's especially easy to trust people that like similar things than you. The feeling of belonging together due to the same beliefs or values can increase trust.
- Curiosity – getting something to gossip about or knowing more than others.
- Appealing to your ego – you have won, you are the one. Compliments, praise, and exclusiveness work, too.
- Appealing to authority – better do what the CEO or the inspector says.
- Appealing to the majority and social acceptance – 9/10 people are doing this, why aren't you?
- Fear of losing – if you don't order now, they'll run out of stock.
- Fear of shame – maybe this person on the internet does have embarrassing pictures of me.
- Laziness – it's nice to get something for free, and it can be too troublesome to check the facts.
- The tendency to commitment – it's easier to stick with something familiar and keep doing it. Social engineers use this by first asking you to do a small favor and then proceeding to bigger things.
Many online social engineering attempts are reaching out to the general audience because there's a good chance that someone will fall for the hoax. A very successful social engineer knows their victim well and uses that information to make a targeted attempt. Everybody has a weak spot. Open-source intelligence is a powerful way of gathering data about the target.
It's good to note that social engineering online is not only limited to phishing, CEO fraud, malware delivery emails, and subscription traps. Fake news and spreading disinformation are also ways of manipulating human behavior.
Riku also shared many examples of using social engineering in red teaming exercises that attempted physical access to the target organization. You can read more about red teaming from our blog.
Inside the attacker's mind
The motivation behind social engineering ranges from a political agenda to showing off skills, but most of the cybercriminals are after money. Victor led the course to try being an attacker in practice. At first, the participants brainstormed how to use all the principles of persuasion to swindle James Bond. Our smart social engineers would serve free martinis, give a discount on new Aston Martins, offer gadgets by Q, or impersonate M or fellow-agents. They would probably succeed as well, considering the cleverness of those plans.
After warming up, the course practiced their open-source intelligence skills by digging out information from the Facebook and LinkedIn profiles of two imaginary persons. These profiles that had been set up for exercise purposes revealed an alarming amount of personal information. The participants were quick to develop ingenious schemes to make these persons like and trust them and eventually use them to get confidential company information. It turned out that social engineering can be quite straightforward.
If you learn social engineering tricks yourself, you have more chances of detecting when someone attempts to social engineer you!
Want to learn more about social engineering?
Learning social engineering can be quite eye-opening. You can download our free social engineering card game, hACME, and start practicing. You'll need at least two participants: one will be an attacker and the other a victim. The game works perfectly well also in an online setup.
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.