October 19, 2017 By Rick M Robinson 3 min read

Even as the technology deployed by both cyberattackers and cybersecurity defenders grows more sophisticated and powerful, the central role of the human factor remains critical. The most effective way to break into a computer network is to trick a legitimate user into opening the door to let you in. The techniques used to achieve this trickery are known as social engineering.

These methods can range from the apparently simple and naive to the highly sophisticated, but they all rely on two basic, related facts about the human mind: We are very good at deception, and we are easily deceived. These traits come together to make us all too good at self-deception.

Deception Is a Daily Routine

According to Infosec Island, our capacity to deceive and be deceived is rooted in how the human mind processes the enormous amount of information that we encounter in daily life. On one hand, we are easily deceived because our brains rely on shortcuts to filter raw information, determine what is important and decide how to act on it. On the other hand, we become very adept at exploiting these same mental shortcuts to deceive other people from a very early age.

This deception is not just limited to malicious lying. Our social lives are full of so-called white lies, from thanking friends profusely for gifts we don’t actually like to giving the boss an overly flattering assessment of his or her latest project proposal. Social engineering draws on these same traits and skills.

The Three Principles of Deception

Nonmalicious deception, such as magic tricks practiced by stage performers, offers a useful window into how the human mind processes information and how it can be deceived. According to the Infosec Island article, these professional tricksters rely on the following three basic principles to mislead us:

  1. Misdirection or manipulation of our sphere of attention. A stage magician performs an action that catches our attention and directs it away from subtler actions that constitute the magic trick. As magicians say, the hand is quicker than the eye. Similarly, an email link containing an entertaining graphic, for example, could draw a phishing victim’s attention away from the identity of the sender.
  2. Influence and rapport. Put simply, we tend to trust people if they seem trustworthy. We trust those who, for example, share our opinions on anything from eating preferences to public affairs or make us feel as if we know them. The social engineering tactic known as spear phishing — making malware-laden emails look as though they came from a friend or colleague — exploits this characteristic.
  3. Framing and context. How we respond to information depends on the circumstances around it. For example, spear phishing attacks often generate false security alerts to frighten potential victims into complying with instructions such as “enter your username and password.”

Mitigating Modern Social Engineering Schemes

Because our ability to deceive includes self-deception, we are all too ready to trick ourselves. The classic Nigerian widow email scam of yore, though outwardly naive, exploited all of the above principles as well as self-deception. An offer of money is always an attention-grabber, distracting social engineering victims from wondering why the widow would make a monetary offer. The widow’s apparent generosity builds influence and rapport, and the surprise of hearing from someone in a distant country establishes the context of something special and unusual — a secret shared between “widow” and recipient. Finally, the elements of flattery and greed encourage us to fool ourselves into thinking that someone would really choose to send us all that money.

Modern social engineering techniques have moved far beyond these old-time scams. Spear phishing attackers can examine our social media profiles to gather names and details to make emails look legitimate. Fake security scams exploit our genuine fear of cyberattacks to trick us into leaving ourselves open to one. But by understanding how social engineering works, we can train our mental shortcut mechanisms to be more wary. Awareness of the power of deception is the first mental step toward fending off social engineering schemes.

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today