Even as the technology deployed by both cyberattackers and cybersecurity defenders grows more sophisticated and powerful, the central role of the human factor remains critical. The most effective way to break into a computer network is to trick a legitimate user into opening the door to let you in. The techniques used to achieve this trickery are known as social engineering.

These methods can range from the apparently simple and naive to the highly sophisticated, but they all rely on two basic, related facts about the human mind: We are very good at deception, and we are easily deceived. These traits come together to make us all too good at self-deception.

Deception Is a Daily Routine

According to Infosec Island, our capacity to deceive and be deceived is rooted in how the human mind processes the enormous amount of information that we encounter in daily life. On one hand, we are easily deceived because our brains rely on shortcuts to filter raw information, determine what is important and decide how to act on it. On the other hand, we become very adept at exploiting these same mental shortcuts to deceive other people from a very early age.

This deception is not just limited to malicious lying. Our social lives are full of so-called white lies, from thanking friends profusely for gifts we don’t actually like to giving the boss an overly flattering assessment of his or her latest project proposal. Social engineering draws on these same traits and skills.

The Three Principles of Deception

Nonmalicious deception, such as magic tricks practiced by stage performers, offers a useful window into how the human mind processes information and how it can be deceived. According to the Infosec Island article, these professional tricksters rely on the following three basic principles to mislead us:

  1. Misdirection or manipulation of our sphere of attention. A stage magician performs an action that catches our attention and directs it away from subtler actions that constitute the magic trick. As magicians say, the hand is quicker than the eye. Similarly, an email link containing an entertaining graphic, for example, could draw a phishing victim’s attention away from the identity of the sender.
  2. Influence and rapport. Put simply, we tend to trust people if they seem trustworthy. We trust those who, for example, share our opinions on anything from eating preferences to public affairs or make us feel as if we know them. The social engineering tactic known as spear phishing — making malware-laden emails look as though they came from a friend or colleague — exploits this characteristic.
  3. Framing and context. How we respond to information depends on the circumstances around it. For example, spear phishing attacks often generate false security alerts to frighten potential victims into complying with instructions such as “enter your username and password.”

Mitigating Modern Social Engineering Schemes

Because our ability to deceive includes self-deception, we are all too ready to trick ourselves. The classic Nigerian widow email scam of yore, though outwardly naive, exploited all of the above principles as well as self-deception. An offer of money is always an attention-grabber, distracting social engineering victims from wondering why the widow would make a monetary offer. The widow’s apparent generosity builds influence and rapport, and the surprise of hearing from someone in a distant country establishes the context of something special and unusual — a secret shared between “widow” and recipient. Finally, the elements of flattery and greed encourage us to fool ourselves into thinking that someone would really choose to send us all that money.

Modern social engineering techniques have moved far beyond these old-time scams. Spear phishing attackers can examine our social media profiles to gather names and details to make emails look legitimate. Fake security scams exploit our genuine fear of cyberattacks to trick us into leaving ourselves open to one. But by understanding how social engineering works, we can train our mental shortcut mechanisms to be more wary. Awareness of the power of deception is the first mental step toward fending off social engineering schemes.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…