Pick a Card, Any Card: Deception, the Human Mind and the Social Engineering Challenge
Even as the technology deployed by both cyberattackers and cybersecurity defenders grows more sophisticated and powerful, the central role of the human factor remains critical. The most effective way to break into a computer network is to trick a legitimate user into opening the door to let you in. The techniques used to achieve this trickery are known as social engineering.
These methods can range from the apparently simple and naive to the highly sophisticated, but they all rely on two basic, related facts about the human mind: We are very good at deception, and we are easily deceived. These traits come together to make us all too good at self-deception.
Deception Is a Daily Routine
According to Infosec Island, our capacity to deceive and be deceived is rooted in how the human mind processes the enormous amount of information that we encounter in daily life. On one hand, we are easily deceived because our brains rely on shortcuts to filter raw information, determine what is important and decide how to act on it. On the other hand, we become very adept at exploiting these same mental shortcuts to deceive other people from a very early age.
This deception is not just limited to malicious lying. Our social lives are full of so-called white lies, from thanking friends profusely for gifts we don’t actually like to giving the boss an overly flattering assessment of his or her latest project proposal. Social engineering draws on these same traits and skills.
The Three Principles of Deception
Nonmalicious deception, such as magic tricks practiced by stage performers, offers a useful window into how the human mind processes information and how it can be deceived. According to the Infosec Island article, these professional tricksters rely on the following three basic principles to mislead us:
- Misdirection or manipulation of our sphere of attention. A stage magician performs an action that catches our attention and directs it away from subtler actions that constitute the magic trick. As magicians say, the hand is quicker than the eye. Similarly, an email link containing an entertaining graphic, for example, could draw a phishing victim’s attention away from the identity of the sender.
- Influence and rapport. Put simply, we tend to trust people if they seem trustworthy. We trust those who, for example, share our opinions on anything from eating preferences to public affairs or make us feel as if we know them. The social engineering tactic known as spear phishing — making malware-laden emails look as though they came from a friend or colleague — exploits this characteristic.
- Framing and context. How we respond to information depends on the circumstances around it. For example, spear phishing attacks often generate false security alerts to frighten potential victims into complying with instructions such as “enter your username and password.”
Mitigating Modern Social Engineering Schemes
Because our ability to deceive includes self-deception, we are all too ready to trick ourselves. The classic Nigerian widow email scam of yore, though outwardly naive, exploited all of the above principles as well as self-deception. An offer of money is always an attention-grabber, distracting social engineering victims from wondering why the widow would make a monetary offer. The widow’s apparent generosity builds influence and rapport, and the surprise of hearing from someone in a distant country establishes the context of something special and unusual — a secret shared between “widow” and recipient. Finally, the elements of flattery and greed encourage us to fool ourselves into thinking that someone would really choose to send us all that money.
Modern social engineering techniques have moved far beyond these old-time scams. Spear phishing attackers can examine our social media profiles to gather names and details to make emails look legitimate. Fake security scams exploit our genuine fear of cyberattacks to trick us into leaving ourselves open to one. But by understanding how social engineering works, we can train our mental shortcut mechanisms to be more wary. Awareness of the power of deception is the first mental step toward fending off social engineering schemes.