16 Apr 2019

Cyber security in the spotlight: how social engineers exploit human behaviour

Karabo Sekhoto

Digital content specialist, Investec

With social engineering on the rise, could your business’s reputation be at risk?

Get Focus insights straight to your inbox

Sending...

Please complete all required fields before sending.

Thank you

We look forward to sharing out of the ordinary insights with you

Sorry there seems to be a technical issue

Social engineering, the art of manipulating, influencing, or deceiving people to gain control over a computer system, presents a major threat to businesses. The practice relies upon using insider knowledge gathered prior to the attack in order to dupe an unsuspecting target into giving away vital information, such as passwords.     

 

Menny Barzilay, co-founder and CEO of cybersecurity firm FortyTwo Global, explains: “Social engineers target the weakest link in a business — employees. Hackers understand that it is far easier to fool an unsuspecting employee into handing over data than it is to hack a protected network. 

 

While there are many different types of social engineering, the practice is basically a “confidence trick” that encourages people to act against their best interests. It has been called the “art of human hacking”.  

“It’s much easier to trick someone into revealing a password than to hack the system itself. "

 

While there are many different types of social engineering scams, the goals of a hacker can usually be broken into five categories: knowledge, power, money, control, or even bragging rights. In the business world, they are often looking to commit fraud, industrial espionage or simply disrupt the system.

 

Due to the continuous growth of social media, the data gathering aspect of social engineering is getting easier. People are more willing than ever to share information about their lives and all it takes is five minutes of browsing for a hacker to gain a wealth of information about their target.

 

While there are many different types of social engineering, the practice is basically a “confidence trick” that encourages people to act against their best interests. It has been called the “art of human hacking”.  

Beware of crying babies

Barzilay sites an example seen at "DefCon", one of the world's largest hacking conferences. It highlights how psychological manipulation plays a key role in social engineering:

 

“Imagine you are a telephone operator,” he says. “A woman calls you with a crying baby and asks for access to her husband’s online account for his mobile telephone. She’s charming, stressed about the child and knows intimate details about the account holder.

 

"However, she is not registered on the account and there is no record he is even married.” 

 

The woman is (unsurprisingly) a hacker, but the ruse has worked. It might sound far-fetched — but this is “child’s play” when it comes to social engineering scams and there are countless stories online that prove its efficacy. 

 

To create a sense of urgency, the hacker plays an audio track of a crying baby during the call. She gives a fake national insurance number and some basic information about the husband drawn from social media, and the end result is that she is able to not only update the password but also gain sole access to the account. But why?

 

“When we see a woman with a crying baby, we erase everything we know about them,” Barzilay says. “She is not a doctor, scientist or criminal, but a mother with a baby. How could a criminal have a crying baby? It’s a natural instinct to dismiss the possibility that a criminal might have a family and children, so it’s easy to overlook the fact this person might be looking to dupe us.”

 

As smart devices become more prevalent, hackers will be able to steal huge quantities of personally identifiable information to then be used in increasingly sophisticated social engineering scams. Researchers at Ben-Gurion University in Israel analysed 16 different Internet of Things devices (defined as the interconnection via the internet of computing devices embedded in everyday objects) and found that even security-critical devices like smart cameras or doorbells were very easy to hack.

barzilay
Menny Barzilay, co-founder and CEO of Cyber security firm FortyTwo Global

Imagine a future when you receive a video call from your boss, using their voice. Would you ask them to confirm their identity or simply transfer the money?

With the advent of deepfake technology, the machine-learning system for swapping faces in videos, it’s only going to get worse.

 

Barzilay believes that social engineers will soon use deepfake technology in a process called CEO fraud. It’s a process in which a cybercriminal pretends to be a senior executive in order to get their “employees” to wire transfer money. According to the FBI, these attacks have increased by 2,370% since 2015 and cost businesses billions, even without deepfake technology.

 

Imagine a future when you receive a video call from your boss, using their voice. Would you ask them to confirm their identity or simply transfer the money?

 

Barzilay believes it will take a catastrophic event, such as a fake Warren Buffet shilling a stock for financial gain before the world truly wakes up to the issues surrounding deep fakes and social engineering. 

 

Social engineers also spend time studying speech patterns, body language and tone in order to dupe our senses — anything that gives an air of confidence. 

 

Why are we so gullible?

The short answer is human nature. A recent study from the University of Wisconsin-Madison found that the willingness to trust is actually built into our DNA. We’re naturally afraid of getting into trouble. These elements combined make it easy for social engineers to prey upon our weaknesses. 

 

Social engineers also spend time studying speech patterns, body language and tone in order to dupe our senses — anything that gives an air of confidence. Neuro-linguistic programming, the art of giving people subconscious suggestions, has also been used to great effect in social engineering. 

 

Another reason social engineering is so effective is that the individual is not as unique as we have been led to believe. 

 

“Our brain is like a computer programme,” Barzilay says. “The same input creates the same output. Imagine enemies on the different sides of the world who are watching the same movie. They laugh at the same time. They make the same wrong assumptions. And the movie was written by one person, alone, and yet they still knew exactly how audiences would react.”

 

It is not unfathomable that a cybercriminal could also write a scam in exactly the same way as a screenwriter and see the same cues work on employees all around the globe. 

 

What can we do?

Social engineering only works more effectively if the individual is ignorant about the tools and techniques employed in the process. So, to tackle the issue, Barzilay says businesses should educate their employees to be instinctively sceptical.

 

Barzilay says there are several things businesses can do for security:

  • Educate your staff: Most social engineering attacks involve actors pretending to be an internal employee or client. It's most important to verify claims before sending out sensitive information. One effective way to stop fraudulent payments is to require two staff members to authorise payments.

  • Identify your most valuable assets: Businesses often focus on protecting the wrong things. Security professionals can identify the assets criminals are most likely to target. 

  • Reject strange request for offers of help: If you receive a message from an unfamiliar business - delete it. Similarly, just because you recognise the name of a business, doesn't mean they're trustworthy. It's common for social engineers to pose as tech support.

  • Give employees a sense of security ownership: "The company has an IT department, so why should I worry about cybersecurity?" Cybersecurity is on occasion considered someone else's responsibility, whether at work or at home. This sentiment needs to be shifted through effective education.