There is so much psychology to technology. From UX/UI design to the so-old-it’s-a-meme Mac versus PC debate, human intuition informs many of our tech-related decisions. So it makes perfect sense that hackers capitalize on psychology as well. There’s your usual hacking techniques that bring to mind the stereotypical hoodie-clad hacker breaking into a system. And then there’s social engineering, aka hacking as the art of psychological manipulation.
Social engineering is a broad term for hacking methods that focus on the people factor. Rather than probing systems remotely for digital weaknesses, malicious actors prey on human weakness. That fault could be greed, deferential treatment toward authority, or simple ignorance. Either way, social engineering techniques are so named because they play entirely to a social factor.
The most well known social engineering technique is phishing. Or, for its voice and text counterparts, vishing and smishing (aka voice phishing and SMS phishing). Be honest—if you see an email from your boss, do you actually check the full email address before responding or clicking on attachments?
If your inbox is set up to show the name of the sender rather than the address, it can be quite easy to fall for phishing attempts. Or perhaps the sender isn’t trying to hide their identity but play to the human affinity for greed and offer a quid pro quo or bait. The latter is best remembered in the Nigerian Prince scams, where you’d send money for a cut of their fortune when they got it. The former is common in vishing attacks that tell you your car warranty is expired or your social security number is compromised. You call back in a panic or follow the steps outlined thinking you get a service in return for giving your information. Instead, you’re phished.
It’s amazing what you can find at thrift stores. One security consultant picked up a Cisco shirt at a thrift store and used basic, public information about the area to break into a retail client’s site and system. All he had to do was put on the shirt and say he was there for technical support and the building was open to him. He was then able to let his team inside and they set up several malware-ridden USBs and got into the network. All because he had the right shirt and some simple information. Luckily for his client, this was just a penetration test, but it’s a stellar example of how easily hacks can happen away from a computer screen. It’s not exactly Ocean’s 11, but it’s equally dangerous for the company in question. Credentials matter for building and hardware access, not just for software logins!
Watch Rihanna pull off a very simple social engineering hack in Ocean’s 8—to a security firm no less!
Much like wearing an IT shirt and saying you’re there for technical support, people tend to believe you if you have enough authority in your voice. If you sound confident enough, nobody asks too many questions. We’ve detailed the various hacking methods used in the 2016 DNC hack: John Podesta deferred to Google’s authority and reset his password. Turns out it wasn’t Google emailing him but Russian hackers on a successful phishing ploy.
Think back to the last time you were locked out of a system and called support to reset your password. How much information did they ask for before going ahead with the reset, assuming you were who you said you were? Kevin Mitnick knows how easy it is to manipulate this scenario. Now a cybersecurity consultant, he was the world’s most wanted hacker back in the 90s. Consider him the Frank Abagnale of hacking.
Back in 1979, Mitnick called up a corporation and pretended to be a lead developer locked out of the system. He instantly got access. Another hacker did the same to the DoJ in 2016, playing the new employee confused at the system. You’d think we would be better at spotting social engineering attacks after so many decades.
The best you can do is educate. Invest time in security training that covers more than just the same basics you’ve seen in every module for a decade. Make it recurring to keep your employees fresh. Heck, even share phishing attempts when they’re caught as living examples to your employees. You may not have a hand in your security architecture specifically, but you can make a solid effort to quell human error before it happens.