November 4, 2024
Social engineering sounds nice, and in some contexts, it is. Social engineering can mean shaping the development and behavior of a community. But in my industry, social engineering refers to the techniques a hacker will use to manipulate and deceive their victims.
But before I explore this topic further, I want to talk about one common trait that plays right into a scammer’s hands — overconfidence. When you read this blog, it might be easy to assume that you’re too smart to fall for any of these tactics. But everyone can have a careless moment, especially when we’re tired or in a rush. And our own overconfidence can get us into a lot of trouble.
The Psychological Principles Behind Social Engineering
While advanced scammers will try to use your brain against you in a number of different ways, these are common psychological principles that they rely on most often. But they aren’t the only ones. You’ll find that a few marketers with questionable ethics will also use some of these tactics to try to get you to buy something you don’t need.
1. Favoring Reciprocity/Quid Pro Quo
Ever felt compelled to give something to a charity because they gave you some pre-printed address labels? That’s pretty harmless. But scammers will also use your natural desire to return kindness by offering something like a discount or some useful information to try to pressure you to do something for them.
It may be something that seems harmless, like revealing the make and model of your first car. But connect the dots — that’s a common password retrieval question.
2. Complying With Authority
When someone calls your home posing as local law enforcement, you’re probably going to have a stronger urge to comply with their wishes. Scammers know this, which is why they’ll use your tendency to comply against you.
Besides law enforcement officials, here are a few other authority figures that scammers will sometimes try to impersonate:
- Your boss or grand boss
- An IT professional
- The IRS
- A fraud investigator at your bank (ironically)
3. Valuing Social Proof
You’re more likely to do something if you think other people are doing it or have already done it. Marketers understand that when they say four out of five dentists recommend a certain brand of toothpaste, you’re more likely to try it. Of course, in marketing, they have rules around the claims they make. But scammers don’t play by the rules.
In order to get you to do something, a scammer might try to convince you that your coworker has already taken the action they want you to take, so you should do the same.
4. Fearing Scarcity
This urge is so strong we even have a cute acronym for it: FOMO (fear of missing out).
When you believe that a great opportunity is going, going, gone, you’re more likely to act impulsively. Marketers use this to get you to buy things you don’t need — and shopping channels are especially notorious for trying to create a sense of scarcity in order to drive up their numbers. But scammers do this to get you to give them access to your account or data.
5. Trusting Friends and Familiarity
What are you more likely to trust — an online review or a recommendation from a friend?
Word of mouth is great, but some mouths are more influential than others. People we’ve built close relationships with have far more influence over us than strangers do. So scammers will often try to strike a more friend-like tone, build up a relationship over time, or pose as someone you already know and like in order to get you to do something. This form of social engineering attack is often called pretexting.
6. Wanting To Appear Consistent
There are plenty of ways this tendency works in our favor. We all want to be people of our word and feel like our decisions are rooted in logic.
Scammers understand that only too well. So they’ll often try to get you to agree to something — typically something that at first seems simple and insignificant. Then, they’ll start escalating their requests little by little, hoping you’ll feel pressured to follow through on your earlier “commitment.”
7. Avoiding Fear and Anxiety
Humans don’t always make good decisions when they’re stressed and anxious. Fear and anxiety are also unpleasant feelings — feelings that we’d like to go away as soon as possible.
That’s a dangerous combination and one that scammers will frequently use. They’ll often fabricate a scary situation like your bank account being hacked, to get you to act quickly and without thinking it through.
8. Being Curious
Human beings are naturally curious, which is why we wrap our presents. It’s also why some marketers will offer a discount code that you have to click or scratch to reveal.
Scammers will often try to use that too, like sending you a message with a cryptic phrase, such as, “Are you in this video?” They might also promise you something enticing but somewhat vague, and all you have to do is open an attachment or click a link.
How To Protect Your Business Against Social Engineering Attacks
Many social engineering attacks prey on our natural tendencies to be nice, accommodating, and avoid embarrassment. So businesses need to flip the script and make sure that their employees understand that a healthy dose of skepticism — and even reluctance to comply with a firm request — will be welcome and rewarded. Employees also do better at recognizing social engineering at play in phishing attacks and other common scams when they know what to look for. Here’s how to make that happen.
Provide Regular Security Awareness Training
When your employees know what to look for and get regular reminders, scammers have a much harder time getting them to do what they want.
Case in point — since you’ve read this far, I believe the next time you are asked for the name of your first-grade teacher (another common password retrieval question) you’ll instantly be on your guard. That’s good. But scammers change up their tactics from time to time, and everyone has careless moments.
Therefore, a good security awareness training program should include:
- Ongoing education on the most common types of scams and tactics currently being used
- A refresher on your email, internet, social media, password, and privacy policies and why they’re important
- Threat recognition and response training
- Regular vulnerability testing, including simulated phishing attacks
Establish and Maintain Clear Security Policies
Make sure you have clear directions available for how you’d like your employees to handle sensitive information, how your office handles on-site visitors, and how your staff should safeguard entrances to your physical office.
A Note About Preventing Tailgating in Office Environments
For example, if your employees are supposed to swipe a badge in order to access your business — or certain portions of it — any tailgating (when an unauthorized person follows an authorized person through a door or access control system) is a no-no.
That means no holding important security doors open — even in an effort to be nice — and no propping them open for the sake of convenience.
Use Multifactor Authentication and Other Cybersecurity Tools
Even with regular training, a certain percentage of your staff will still be vulnerable to advanced phishing techniques. That’s why using multifactor authentication (MFA) is so important — it can prevent 99.9% of attacks.
In addition to MFA, modern email filtering tools can help reduce the amount of scams that reach your employees, but it’s important not to rely on them completely. Scammers are constantly finding ways to sneak past them.
Because no single tool or solution can prevent everything, more and more businesses are adding additional layers of security to their online systems. That way, even in the worst-case scenario, where an intruder gets access to your systems and data, they can only see and access so much. The damage will be contained.
Create a Culture of Security
Adopting an anti-tailgating policy will not help much if your executives don’t follow it. A culture of security has to be created from the top down, and that means managers and executives need to model secure behavior.
When an employee reports suspicious activity or questions an odd request coming via email, for example, they should be rewarded for that, even if the request or activity ultimately turns out to be legitimate.
Limit Publicly Available Information
Scammers often can pull enough information from what’s available online to impersonate an employee or a vendor. Most organizations will need to have a robust online presence, but resist the temptation to overshare.
Implement Strong Verification Procedures
Limit who can make financial transactions, and have procedures in place to verify the legitimacy of any wire transfer or sensitive data requests before they are fulfilled.
Keep Your Incident Response Plan Up to Date
If you haven’t already, put together a thorough incident response plan (IRP), and put it to the test at least once a year.
Vet Your Vendors
If someone can easily hack into a vendor’s email system, they can send fraudulent invoices, wire transfer requests, and malicious links from a trusted email account. So if you use MFA, but your vendors don’t, it’s time to reconsider the relationship.
Everyone who has access to your facilities, infrastructure, or data is a potential risk to your organization, which is why vendor due diligence is non-negotiable in 2024.
Get Expert Help Countering Phishing, Quid Pro Quo, Pretexting Attacks and More
When used correctly, AI has been a huge time-saver for many businesses, but it has also been a boon for cybercriminals. The spelling errors and sloppy grammar that were once reliable indicators of a scam in progress are now largely gone. But other indicators have taken their place.
If you need to update your awareness training and user authentication tools, we specialize in making training engaging and effective, and reducing the frustration associated with using MFA. Spoiler alert — it doesn’t have to be frustrating or a constant drag on your productivity.
