Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Executive Networks Media editors.
While technological know-how certainly plays a large role in enabling attackers to hack any given system, corporation or individual, what often is overlooked is that some tricks of the trade, like social engineering, are also psychological games. That means that protecting and defending against these kinds of attacks is, in turn, part mental as well.
It’s important for IT professionals to understand the ways in which social engineers take advantage of human emotion in order to carry out their attacks. Let’s examine the four human emotions and behaviors hackers most commonly exploit as part of a social engineering campaign, the distinct campaign characteristics for each manipulated emotion, and some key considerations for better positioning your employees and your organization against falling prey to these types of attacks in the future.
* Fear. Defined as an unpleasant emotion caused by the belief that someone or something is dangerous, likely to cause pain or a threat.
As one of our most powerful motivators, fear is arguably the most commonly manipulated emotion when it comes to social engineering campaigns. Whether in the form of a phony email that your online bank account has been compromised and requires a password change, or an urgent bank security notice, these scams leverage a specific threat to the targeted recipient or group of recipients, which forces them to act quickly to avoid or rectify a dangerous or painful situation.
As an example, cybercriminals recently took advantage of tax season by gathering information stolen from the IRS to call and threaten U.S. residents filing for taxes. After getting hold of victims on the phone, the attackers would immediately become aggressive, threatening immediate police action if money was not wired to a fake IRS account to rectify a tax irregularity.
* Obedience. Defined as complying with an order, request or law or submission to another's authority.
Social engineering scams that prey on obedience are often disguised as an email, instant message or even a phone call or voicemail from a person or group of superior authority, such as law enforcement or an executive at one’s company. Because we’re taught from a young age to trust authorities, we are not conditioned to question the validity of their correspondence and tend to comply with their instructions, requests and guidance.
But when it comes to phishing campaigns, innate authoritative trust can have some serious consequences. Just ask toy maker giant Mattel, which nearly coughed up $3 million to a cybercriminal who disguised himself as the company’s CEO in an email to a finance executive with instructions to approve a payment to a vendor in China. While this particular scam had a happy ending for Mattel, as Chinese authorities were able to help restore the funds, it’s a hard lesson learned on the power of authority and obedience when it comes to phishing attacks.
Sign up for CIO Asia eNewsletters.