Social Engineering Principles
Most hackers are very socially aware. They’re very good at manipulating conversations and talking to people to get them to reveal information. Many stereotypes depict hackers as these nerdy guys in a dark room click-clacking away on a keyboard. While some hackers might meet this stereotype many hackers are actually very good at talking to people. These hackers are charismatic and good at conning people, which is essentially social engineering.
Social engineering encompasses a wide range of techniques, known as attack principles. These are essentially different ways hackers trick their targets using social engineering. These attack principles can be used in any type of social engineering attack, whether it’s a regular phishing attack with email, a vishing attack (voice phishing), or an in-person conversation.
The effectiveness of social engineering attacks relies on the skills of the hacker. While we are all familiar with phone scammers, these individuals use these attack principles in a very unskilled manner. Skilled hackers can use these techniques to fool even seasoned security professionals.
Authority or Intimidation
Attackers use this attack principle by claiming to be a person in a leadership role. They will then use this role to intimidate their target into performing an action.
This technique is often used for phishing attacks Attackers will call individuals and claim they’re from the IRS or from the FBI. “Hey, we’re from the IRS. We’ve detected a fraudulent activity within your tax records. Can you please confirm your social security number with us?” They’ll try and sound very convincing to make it sound like they’re from the IRS on official business. They might say, “Oh, I’m from the IRS. This is my agent number, six two eight eight seven four. My name’s Mr. Smith and I am representing your case. We’ve detected fraudulent activity on your account. I just need you to verify your social security with me and some basic information.”
Using this fake authority, the hacker will then attempt to intimidate the target into revealing information.
Consensus is when a hacker claims that an action is normal or generally accepted within the context of the attack.
Attackers could use this technique when they receive skepticism from their target. “Hey, this is Chuck from IT. I need you to email these files to me. We’re doing this big server install and I need some information from you.” Perhaps the target doesn’t quite buy the attacker’s story.
So the attacker might say “Oh, well Karen emailed me those same files last week. So I don’t know why it’s a problem for you.”
Scarcity is when an attacker claims that something is going to exist only for a limited time.
Scams like this are common with Bitcoin. For example, “We can double your Bitcoin if you donate to this site, but only if you do it within the next 24 hours, otherwise the offer will be gone.” So that scarcity principle might makes people panic a little bit. It might make them think “Oh, I got to get on this right now, or else I will miss out!
Scarcity is similar to urgency, but the attacker will claim that there is a limited supply.
The target is pressured to make a decision or risk missing out on the offer due to a limited number. With Bitcoin, the attacker might claim that “the next 50 people to donate Bitcoin will have their Bitcoin doubled.” Since there are only 50 slots available, the idea is that the targets are pressured into a decision.
Familiarity and Trust
This is where an attacker takes advantage or exploits a target by introducing that target to something familiar. Often times this is something that the target likes or supports.
For example, attackers might claim that they represent the target’s favorite charity.
This technique is often used in spearphishing attacks where the attacker has done more research on the target.
Cyberkraft Security+ Course
This video is part of the Security+ Course. Pass your Security+ exam in one week, guaranteed! Click here to check out the course.