Recent Posts

Recent Blog Posts

The PhishLabs Blog

Brain-hacking: Why Social Engineering is so effective

Posted by Michael Tyler on Feb 19, '19

You are affected by social engineering tactics every day.

brain hackingOkay, let me explain. From an information security standpoint, Wikipedia says that social engineering is the psychological manipulation of people into performing actions or divulging confidential information[1]. That’s true, but social engineering isn’t limited to information security; it’s something we all experience, every day. In most cases, it’s not even malicious in nature. At its core, social engineering is the building and leveraging of influence in order to persuade others to act as you want them to. Or put another way, to get someone to make a decision that benefits you.

As part of a new series on the psychology of phishing attacks, we’re going to discuss why social engineering works and how it’s used and abused by others to subtly (or not so subtly) influence you. For our first article we’re taking a look at how decisions get made and the common ways in which people are influenced. First, we need to understand the basics, which will allow us to recognize them when they show up in clever new attacks.

Decisions, Decisions

When you break it down, we make a phenomenal number of decisions each day and we think about surprisingly few of them, let alone analyze them. In the 1980s, a behavioral psychologist by the name of Robert Cialdini proposed a concept called the Theory of Influence in his book Influence: The Psychology of Persuasion. His theory says that influence over others is created in seven major ways.

These principles of persuasion illustrate how we take shortcuts in our decision-making. There’s a cool video that illustrates these principles in more depth[2]. Making decisions is hard [citation needed] and we don’t have the time, energy, or patience to fully examine each decision before we act on it. So, we make shortcuts for ourselves, particularly when it comes to relating to others. Social Engineering takes advantage of those shortcuts. Let’s go over each one briefly.

 

 

Reciprocity

People don’t like to feel indebted to others. When we’re the recipient of a favor, we tend to try and repay it. The candy with your check at a restaurant has been shown to increase tips.[3] Companies offer up free content on their blogs in hopes of catching your interest and, hopefully, your business one day[4][5]. My favorite example is one Cialdini calls out in his book[6].

In 1985, Mexico City was hit by a massive earthquake, causing billions of dollars in damage and over 5000 deaths. Foreign aid poured in from across the world to help Mexico, but one country in particular stands out with a particularly unexpected donation. In 1985 Ethiopia was not in a position to be helping anyone. They were suffering from famine and drought. The total aid sent to Ethiopia in 1985 was around $1 billion. Yet, the Ethiopian Red Cross donated $5000 in aid to Mexico because, 50 years prior, Mexico came to Ethiopia’s aid when Italy invaded[7]. Mind. Blown.

Scarcity

People are more likely to want things that they believe are in limited supply, are exclusive, or that are not always available. This is the entire premise behind the McRib, the special limited time discounts on products you didn’t know you wanted, or the clearance sale that car dealerships seem to always have because they’re overstocked (apparently inventory management of automobiles is really tricky).

Authority

People don’t like being uncertain. We naturally look for and follow authority figures. The problem is that we have a broad definition of what constitutes an authority figure. Uniforms, for example. If we see someone in a white coat at a hospital, we tend to give their medical opinion more weight.

Liking

We listen to people who we like. This principle is why you used to see the attractive young woman sitting on top of a sports car in ads, why compliments can improve the odds of getting a favor, and why certain fast food chains have mouthy Twitter feeds.[8]

Commitment

People like to maintain consistent behavior. Because of this, a small action can lead to larger actions. Cialdini cites an example that I love; a study in which a random sample of people were called and asked how they would respond if asked to donate three hours of their time volunteering for the American Cancer Society. The researcher noted down which people said yes (most did. . . who wants to be the guy who bristles at the idea of volunteer work?) and called them back later requesting that they volunteer. The American Cancer Society saw a 700 percent increase in volunteers over their traditional efforts[9].

Consensus

People tend to do what they believe everyone around them is doing, particularly when they are unsure of what to do in the first place. If you walk into a crowded room, and everyone is staring at the ceiling what’s the first thing you’re going to do?

Unity

We gravitate toward people who we identify as being similar to us. This is where nationalism, the family bond, and Women’s March all originate from. It’s also why we like it when we share an interest with somebody; it’s something we have in common.

In practice, these principles are often used in combination, which is something we’ll see as we apply them to real world examples of social engineering tactics.

Our Greatest Strengths, Our Greatest Weaknesses

In his paper Psychological Based Social Engineering, Charles Lively outlines a framework of attack vectors that social engineering commonly leverages:[10] Careless, Comfort Zone, Helpful, and Fear. What Lively is hinting at, and where we’re going to spend our next four articles, is that there are fundamental facets of human behavior which attackers exploit using the influence techniques we’ve already covered. They are more than just attack vectors or bad behavior; they are part of who we are as people, and each has played a role in shaping today’s society. I’ve adapted Lively’s grouping into what I call the Four Natures.

Simple Nature: Humans tend to filter out information they perceive as unimportant

Assistive Nature: Humans tend to want to be helpful

Familiar Nature: Humans prefer, and let our guard down in, familiar circumstances

Emotional Nature: Humans tend to allow emotions to influence or overpower decision making

In our next article, we’re going to begin tackling the malicious use of social engineering and focus on the first of our Four Natures: the Simple Nature. To get the latest insights from our team and be the first to read the latest in the series, subscribe to our blog here.

References

[1] https://en.wikipedia.org/wiki/Social_engineering_(security)

[2] https://www.youtube.com/watch?v=cFdCzN7RYbw

[3] https://scholarship.sha.cornell.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1129&context=articles

[4] Citation: you’re reading this blog

[5] https://www.hubspot.com/marketing-statistics

[6] Cialdini, R. B. (2007). Influence: The psychology of persuasion

[7] https://apnews.com/b3e6e2feea40096907181b8c5ddabdfe

[8] https://twitter.com/wendys

[9] Cialdini, R. B. (2007). Influence: The psychology of persuasion

[10] Lively, C. E. (2003). Psychological Based Social Engineering

Topics: Psychology, social engineering

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all