Don’t be a sheep among wolves. No one is invulnerable to social engineering—even security professionals.
Social engineering is a cruel psychological attack that preys on human nature, exploiting our innate desire to trust others. This dangerous cyber threat poses a potential risk to anyone, regardless of their technical prowess or status in society. Even the most vigilant, high-profile security professionals can fall victim to social engineering attempts. In fact, many of the most prolific and successful cyberattacks in history started with social engineering schemes.
Take, for example, the 2018 Twitter Breach, in which hackers gained access to high-profile accounts belonging to high profile individuals such as Elon Musk, Jeff Bezos, and Barack Obama. The cybercriminals used spear-phishing to gain access to the targeted accounts by sending Twitter employees convincing messages. These high-profile accounts were then used to tweet bitcoin scam messages, defrauding people of over $100,000.
Even though this strange situation sounds like a 1990s hacker movie, it’s just one of many social engineering schemes that have caused a lot of trouble and money loss. So, if even Elon Musk can be hurt, how can you or your business stay safe from this growing danger? Erica Ciko knows the answer: all you need is a little bit of “reverse psychology.”
Understanding Your Social Engineering Enemy is Painful but Necessary
To beat the social engineers at their own game, you need to get inside their twisted minds. You must understand how they operate, what motivates them, and what their weaknesses are. First and foremost, you need to think like the enemy to outsmart them.
So let’s perform a little thought experiment, shall we?
Imagine yourself as a cybercriminal, scouring the internet for easy prey. You’re looking for the weak, the gullible, and the unsuspecting. You manipulate them into giving up their personal information or downloading malicious software by knowing their fears and desires. You use social media to gather information about your unsuspecting targets. Finally, you create fake emails and websites that appeal to your prey’s interests and approach them coldly.
In other words, as a social engineer, you use every trick in the book to get what you want.
But what if you could turn the tables on the social engineers? What if you could use their own tactics against them? Spending too much time inside the malicious mind of a social engineer is unappealing to most ethical hackers: But by thinking like a cybercriminal, you can anticipate their moves and outmaneuver them at every turn.
How to “Wear the Skin” of a Social Engineer and Learn Their Tactics
To understand the enemy, first you must re-evaluate the basic principles of social engineering. We all know that social engineers prey on the goodwill of others. Their methods are far-reaching and relentless, spanning everything from phishing emails and phone scams to fake job listings, and physical impersonation.
A true social engineer has no issue damaging their victim’s livelihood, finances, or professional reputation. But why?
According to Erica Ciko, here are some of the most common motivations that drive social engineers to fine-tune their manipulative art:
- Stealing personal information for financial gain.
- Accessing sensitive corporate data (these social engineers are also known as “insider threats”).
- Gaining access to physical locations.
- Compromising network security to spread malware or viruses.
The attacker uses social engineering to achieve their goal, which they often plan before first contact.
Now that you know their motives, pretend you’re a social engineer targeting your home network, small business, or large organization. Think about what information you would want to obtain and how you would go about obtaining it.
A Thought Experiment of Social Engineering Used for Home Network Infiltration
This exercise will help you identify key weaknesses in your home network security and develop strategies to defend against them.
Picture yourself as a rogue hacker infiltrating a home network like a skilled spy on a mission. Your objective? To plunder the personal data of unsuspecting victims, from credit card information to social security numbers and any other juicy personally identifiable information (PII) that can be sold on the darknet. A successfully compromised home network can quickly become a launchpad for a full-scale cyber invasion, opening the door to the victim’s workplace, financial institution, and social media accounts.
By imagining yourself as a social engineer targeting a home network, sniffing for information on every device like a rat scrounging through a gutter, you can gain an enlightened new perspective on their tricks and schemes. Then, you can take proactive measures to guard against them and leave them in the dust.
Although this exercise focused on a home network invasion, you can repeat the experiment as many times as you want for different social engineering scenarios. And before you know it, you’ll understand that, at the end of the day, social engineers are simply humans who can be defeated and outsmarted like anyone else. And most importantly, you’ll know how to spot their wicked games and stop them before they start.
Recognize the Common Reasons Victims Fall for Social Engineers
Our exercise wouldn’t be complete without revisiting the scenario from the other side. Now that you know what it’s like to slip into the skin of an attacker, what about the victim? What motivates an innocent user to give in—sometimes with little to no resistance—to these criminals who perpetuate the dark art of manipulation with no remorse?
According to Erica Ciko, here are some of the most common reasons people fall for social engineers and their nefarious schemes:
Fear is the best way to kill your mind, and social engineers know how to use it to control people. People act on impulse when they are scared or feel insecure. They know that people are naturally curious and will often click on links or download files without thinking about what might happen. By taking advantage of these habits, social engineers can easily access your computer systems or steal your personal information.
Greed is another strong feeling that social engineers use to get what they want. They promise their victims a big payoff or a chance of a lifetime to get them to let their guard down. A classic example of this is when a victim is asked to an interview for a job they don’t remember applying to. Most of the time, these jobs pay very well or seem too good to be true. Still, many people fall for these schemes because they want something right away and don’t care about the consequences.
Every social engineer spits in the face of the truth. They make up fake identities or use well-known brands to get you to trust them and tell them sensitive information. In some cases, they even form friendships or relationships with their victims that can last for months or years. Catfishing schemes can cause a lot of emotional and financial harm to the person who falls for them.
Urgency is another important tool that many social engineers can’t do without. They want to make their victims feel scared so they will act quickly without thinking. They know that with enough prodding, people often grow flustered and make rash decisions—and the worst decisions are often made under pressure.
In short, you can learn more about how social engineering works if you think like both a victim and a threat actor. Think about how you could use what you’ve learned since the last exercise to get someone to tell you private information or do something that is not in their best interest. This can help you come up with a strong plan to protect yourself from social engineering attacks.
Flip the Tables on Social Engineering Forever
Social engineering is a dangerous and always-present threat that isn’t going away anytime soon. But the best way to avoid social engineering is to be aware of it and learn about it. By understanding the psychology behind social engineering and promoting a “culture of awareness” at work and at home, you can protect yourself and your friends from these sneaky attacks.
Cybercriminals take advantage of people who are scared or desperate, so don’t give in to their plans. Remember what you’ve learned from our thought experiment and use it the next time you meet a strange person online. In the end, you’ll be able to spot this cruel and common cybercrime and protect both your wallet and your reputation if you stay up to date on social engineering techniques and know who your enemy is.