* Greed. Defined as an intense and selfish desire for something, especially wealth or power.
In the case of greed-exploitative campaigns, these routinely offer a reward – usually monetary – for performing a specific action. A classic example is what is commonly referred to as the “419 Nigerian scam,” which earned its name from cybercriminals claiming to be a Nigerian official or agency via phone or email who promises a handsome reward for a small action or even a small sum of money – so long as the target eventually shares their bank account information in order to receive the reward.
In 2013, a Nigerian scam victim from Australia spoke out at the AusCERT Conference, and revealed she was swindled out of $300,000 over the course of four years. As the saying goes, money is the root of all evil – and in the case of phishing campaigns, letting greed outweigh one’s better judgement can prove this to be true to the utmost degree.
* Helpfulness. Defined as a willingness to help other people.
Not all cybercriminals take advantage of negative human tendencies in order to carry out social engineering campaigns. In fact, the fourth behavior commonly exploited is a willingness to help out another person or group. These campaigns are often targeted at customer support or customer service departments, as attackers are betting these employees’ propensity to lend a hand and keep people happy will encourage them to divulge or accept more information than they should.
Take the recent Amazon.com customer service backdoor recently disclosed on Medium, for example. In this case, a hacker accessed a shopper’s Amazon account, and with just a name, email and an incorrect mailing address, was able to verify the account via online chat with customer support and, through a series of calculated questions, obtain his target’s correct personal information. The hacker ultimately gained access to the shopper’s credit card information and made a purchase via his Amazon account. The customer support reps were simply doing their job, but the hacker in question knew just how to use their helpfulness against them.
In an enterprise setting, as with many aspects of security, a large part of defending against social engineering comes down to setting policies and educating employees. Insider threats are arguably the most common and dangerous threat to an organization’s defense, with recent research revealing internal actors responsible for 43% of data breaches – half of which are accidental and non-malicious.
It’s not only important that IT and security leaders understand hackers’ evolving tactics, but that they also continuously adjust policies and share their knowledge by educating their colleagues and training them to be vigilant against nefarious activity. For example, employees need to be taught to take a step back when they receive, say, a suspicious email or instant message and consider the emotion the vehicle for an attack is eliciting and how that might help indicate foul play. While it may be obvious to you as an IT professional that an unexpected email that provokes an urgent emotional or behavioral response – such as fear, obedience, greed or helpfulness – is an automatic red flag, the average employee likely does not.
Sign up for CIO Asia eNewsletters.