As we get better at securing our computer systems, we are discovering that the weakest line of defense is, in fact, the human being. Social engineering is the dark art of manipulating people. Social hackers might want access to a building, to get hold of information they aren’t supposed to have, or simply to increase their status in society.
Social hackers have been glorified in movies like Catch Me If You Can and Six Degrees of Separation, and the same charm that gives them the capabilities to manipulate victims can be turned to make them stars for an adulatory public.
Social hacking can come in many forms, such as telephone and email scams, deliberately exploitative marriages, or entire fake identities that are maintained over decades.
But how do they do this? And how can we protect ourselves from people who have a gift for getting everyone around them to drop their guard?
1) There is a lot of information about you on the internet
In a tactic called pretexting, the hacker will invent a pretext for contacting you, through phone or email or in person. Often this will mean doing tremendous research about your background, your education, your work, and even the devices you own. The attackers might surprise you with what seems like insider information, perhaps by knowing your IP address or university ID. They might leverage information that you offered voluntarily somewhere else on the internet, then forgot about.
Pretexting is often used to gain more information from a target and is sometimes phrased as “confirming” information. It can be used to trick the user into performing security sensitive tasks, such as downloading software, disabling firewalls, or bypassing security mechanisms.
Another tactic is a diversion technique. This is when an attacker convinces you to make a payment to another account, or send your shipment to a different address. Often enough this tactic is about diverting communications or encryption keys. Someone might call you, pretending to be the representative of a bank or email provider, then give you a helpful heads-up regarding a warning message. The person may tell you to “safely ignore” the warnings. Similarly, you may be asked to start communicating with someone “from a different department” or be given an alternative encryption key to use with your account.
2) You are a kind and honest person
Most people enjoy helping others in some way and do not suspect an attack behind every request. And of course we shouldn’t substitute our helpfulness with insufferable paranoia.
It is difficult to maintain a healthy balance, and often any signs of paranoia are met with ridicule.
We are less suspicious when good things happen to us. An expensive USB stick you find on the floor might turn out to contain malware, or the fluffy teddy bear sent to your office might contain a camera or tracking device. This tactic is known as baiting, and in extreme cases, the attackers may go so far as to say they’ve “fallen in love with you,” or offer grand prizes for competitions you don’t recall entering.
By not exercising caution and verifying the identity of people reaching out to us, attackers are able to establish authority over us. In a large organization it can be hard to know exactly who is higher up the chain of command, and new employees are particularly vulnerable to this type of scam. A corporation might be more susceptible to these kinds of attacks after management changes or restructuring.
Social hackers might even exploit your kindness much more bluntly, simply by asking for something. In a rough working environment, stressed employees often respond very positively to kind requests. In fact, most people will either respond to kindness or authority.
3) You reveal more about you than you think
You may not know whether you are the kind of person who responds better to authority or to kindness, but a skilled attacker might quickly find out by reading subtle signs in your facial expressions or hand gestures.
Victor Lustig, the master con artist who tricked a scrap metal dealer into believing he bought the Eiffel Tower, explains:
- Be a patient listener (it is this, not fast talking, that gets a con man his coups).
- Wait for the other person to reveal any political opinions, then agree with them.
- Let the other person reveal religious views, then have the same ones.
- Hint at sex talk, but don’t follow it up unless the other person shows a strong interest.
- Never discuss illness, unless some special concern is shown.
- Never pry into a person’s personal circumstances (the target will tell you all eventually).
- Never boast—just let your importance be quietly obvious.
More targeted and efficient can be a phishing attack. In its most common form, you receive an email from your bank with a request to log in to your account. But instead of being directed to your bank’s website, you are sent to an identical site owned by the attackers. This attack can even circumvent two-factor authentication. When the attackers try to log in to your real account, you may receive a text message with a security code from your bank. They will obtain this, simply by asking you to enter it on their fake site.
4) Your mind easily jumps to conclusions
We hate to admit when we don’t recognize people who claim to know us. Especially if they seem to know intimate details about ourselves. In fact we are much more likely to trick ourselves into thinking that we must know the person, rather than risk a confrontation to clarify the nature of our relationship. This is exploited in countless telephone scams, where people are tricked into believing their distant relatives are calling and are in need of financial help.
William Thompson, who lived in New York City in the 1840s, convinced random strangers not only that they knew him, but also that they could trust him with taking care of their valuable possessions. He quickly became known all over the country as “the confidence man.”
5) You are inclined to believe others are like you
You have no evil intentions, so why would others? It’s hard for us to imagine that sometimes seemingly ordinary people want to harm you.
You know about evil hackers, but they only attack nation-states and civil rights activists, right? Why would someone go through the effort of trying to hack you? You have no cases of money or trade secrets to steal. So why would people want to do you harm?
In reality, you and your data are probably a lot more valuable than you think, and you may already be under attack in one way or another. It may be an automated attack or it may just be a coincidence, but you are wise to not trust lucky coincidences blindly. Be wary of the sudden appearance of an old acquaintance or any strange request that comes over the phone.