The heart of Social Engineering

For our readers who are familiar with the term “Social Engineering,” when asked, “Why does it work?” what would you answer? — some would say, “because the technology used is advanced.” That’s true, many are using advanced software to create realistic emails. Others use these software to swap the faces of famous people and overlay them with their voices to make videos appear natural.

When it comes to emails, I have personally encountered emails that looked very real. The email was supposedly from LinkedIn, an invitation from a LinkedIn user to connect with the victims. When I looked at the email, it seemed very real. There are many ways to verify if it’s real. For example, users could open their LinkedIn app to confirm or log into their LinkedIn account to verify the invitation. However, not everyone would think about checking first.

Back to the example, when I looked at the email address, it looked real, especially the domain @linkedin.com; even the email content looked genuine. I copied the domain from the email address and pasted it into a notepad to make sure. As it turns out, the domain address was iinkedin.com

That’s the technical side of Social Engineering. If users were unaware of Social Engineering techniques and did not undergo security awareness training, they would end up falling for it. That would be a viable answer to my question earlier. However, there’s another answer that I’m looking for.

Let’s try again by giving a different angle or context to Social Engineering by providing reasons why many victims would fall to Social Engineering techniques.

Trust and Authority

People naturally trust those with authority, like their boss or group members; those close to them, only to find out they are impostors.

Fear and Urgency

This technique involves scaring victims with urgent calls, emails, or even in-person. Some people, when stressed, can’t reason.

Reciprocity

Some people feel obliged when given gifts, even if they are complimentary. The ending is that they give out information, sometimes sensitive.

Social Proof

This is when people follow or wait to see what others will do and then do the same, like a mob mentality.

Based on these information, this, in its entirety, is the Psychological angle of social engineering. This is the very heart or core of Social Engineering. This is the answer I’m looking for.

So, how do we build a solution against Social Engineering, let’s say, our Psychological Defence?

Strategies for Psychological Defence

Education and Awareness

Understanding psychological tricks helps people become familiar when they encounter these scams. Regular training and awareness campaigns strengthen resistance to manipulation. Companies can implement cybersecurity awareness programs to train their employees. The outcome is that they become more vigilant and can identify suspicious emails or calls, and because of this, the success rate of Social Engineering attacks will be reduced.

Critical Thinking and Skepticism

Make questioning and verification a habit. Develop a skeptical mindset — this serves as a firewall against manipulation attempts. For example, if you received an email from your bank urging you to click a link in the email, you would first check the source (legitimate email address, for example). If you are unsure, then contact your bank directly to verify. You don’t need to be overly tech-savvy to avoid such deceptions.

Emotional Intelligence

Learn to manage emotions as it’s an effective way to combat manipulation. An example is when you receive a message or call from your boss demanding immediate access to a secure system; follow the proper protocols to verify your identity. Don’t worry about being scolded for not following their demands because it’s the protocol.

Collective Vigilance

An organization can create an internal forum where employees can share and discuss suspicious emails or requests. This effectively reduces mistakes in deciding whether a received email or request is legitimate instead of deciding based only on what you’re seeing without discussing it.

Simulated Attack Drills

Conduct regular simulated phishing attacks to train employees to recognize and report attempts. The outcome is that employee awareness about these kinds of attacks will be heightened, thus strengthening the resilience of the workforce because they now have experience with realistic attacks; they know better how to be ready and respond appropriately.

Behavioural Analysis Tools

Use software to analyze abnormal patterns, such as unusual login times. It helps recognize potential insider threats. Early detection of this unusual behaviour can help in rapid intervention, possibly averting a security breach.

Personalized Security Protocols

An example is using secret questions that are more personal than publicly available information. An example of this is the use of secret questions, such as “Who was your first crush?” or “Your first honeymoon” — these are more effective than questions like “What is the name of your spouse?” The earlier examples are more effective (if you know what I mean XD) because standard information used in these attacks is often more publicly available, such as on Facebook.

Emphasizing Ethical Culture

Well-treated employees aligned with the company’s values are less likely to engage in harmful activities. For example, as an employer, if you create many rules regarding privacy, honesty, and integrity, but in practice, you break them, it may foster hatred among employees and lead to insider threats or what is known as disgruntled employees.

At its core, Social Engineering is not a technological problem but a human one. As technology evolves, human nature remains susceptible to manipulation, especially without awareness of the psychology at play.

The solutions discussed here focus not just on technology but on strengthening awareness, critical thinking, emotional intelligence, and a culture of vigilance and ethics. By knowing how social engineers exploit people’s psychology, we can build a stronger defence against thieves like social engineers.

Stay safe online, everyone!

This story has been originally published by me on Medium: https://medium.com/@tekvera/the-heart-of-social-engineering-9b2ccc1391f8