Understanding the psychology of social engineering attacks
December 27, 2021 / Knowledge

Understanding the psychology of social engineering attacks

Social engineering attacks are one the most dominant types of cyber threats. Social engineering techniques are behind 98% of all cyber attacks.

However, once you’re able recognize the schemes and understand the psychology of a criminal you can protect your company from the majority of cyber risks out there. Let’s have a better look at some of the examples and how to recognize them.

What are social engineering attacks ?

Social engineering attacks are the type of cyber threat that involves social manipulation of another person. The goal is to deceive the victim that he discloses sensitive information or performs a cybersecurity mistake.

Exploiting weak areas in human psychology is always easier than finding ways to break into complex software. That is, you can have a bullet-proof security architecture and still suffer from a cyber-attack – it only takes a single mistake made by an uninformed or under prepared employee.

That makes social engineering attacks so successful.

What are the most common attacks?

Every social engineering attack uses slightly different methods of retrieving information. Learn to recognize the type. The three most common attacks are these:

Phishing

Phishing is a scam used to steal sensitive personal (or enterprise) data. It is usually carried out via communication channels – email or text messages. In 2020, phishing became the most popular type of cybercrime.

Usually, the attacker masquerades as a trusted figure (a bank or a representative of another authoritative organization) and tricks a victim into clicking on a link or providing sensitive information.

Baiting

Baiting is a modern version of a Trojan Horse – the attack relies on a victim’s greed and curiosity. As the name implies, the user is promised or given something hard to refuse: a free book, course, film, etc. In return, he is asked to type in sensitive data to a legitimately looking website.

However, baiting social engineering attacks do not necessarily apply to the online world only. USBs, infected with malware, can also serve as baits, left in an office, parking lot, mailbox, or other places a victim would notice.

Pretexting

Pretexting is the social engineering attack that involves the most human interaction. In this attack, a scammer builds up trust and rapport (by impersonating an authoritative figure), so you disclose private data.

Usually, the criminals call after they have gathered some information about you (name, surname, date of birth, workplace, etc.). This way, it is easier for you to trust a calling person and, hence, fall into a trap.

How do social engineering attacks work? Understanding the psychology of a criminal.

Although social engineering attacks slightly differ from one another, they all involve quite similar schemes of deception.

Investigation

Usually, all attacks of this type require at least some investigation for a criminal. The perpetrator has to know what bank you use to get your attention and trust with the email or the content of a call.

Lesson: do not trust someone just because the person knows something about you. The internet and social media are tools where information about your personal and professional life is accessible freely and to anybody.

Legitimate-looking trap

Whether it is a baiting website that offers you a free e-book download or a phishing email from a bank – the criminal will take his effort to set up a trustworthy-looking bait.

Lesson: never trust anything from the first glance. First, always look for self-evident hints – typos, grammar, or lexical mistakes. Also, hover on a link and see where it redirects you (but never click on it). Then, double-check the sender of the email. If a person says he is a bank representative, ask additional questions. If in doubt, contact the bank by their official contacts and ask about the credibility of the call.

Trigger words

Criminals know the words that help to push a victim into giving away information. Usually, all social engineering attacks rely on urgency, scarcity, fear, surprisingly good offer, and curiosity. Accordingly, attackers often create a decision pressure – you have little time to think and must act immediately.

Lesson: pay careful attention and always scan for trigger words: urgent, limited, free, last offer, now, last chance, now or never, the last call, and others. If you notice any of those words – in an email, talking with a person, elsewhere – become suspicious. Train your eye and ear to search for these words to start thinking critically.

Lastly, take other precautions to protect your digital data:

  • always use two-factor authentication where possible,
  • do not leave your belongings unattended in public places,
  • use antivirus software.

If you want to take away the single rule that might help you protect yourself from becoming a victim of social engineering attacks, it exists:

Do not trust anything and anyone just because it seems trustworthy.

Each criminal seeks to build trust. Be sure not to provide him with that from the first moment.