115 reads New Story

You Can Hack People, Too: The Art of Social Engineering

by The Daily MuckAugust 13th, 2024

Too Long; Didn't Read

The perpetrator of a social engineering scam is an expert in human nature. Social engineering works because we are victims of our own desires to be liked, respected and viewed as competent. Playing on these aspects of human nature enables a scammer to engineer risky behavior even when a network member knows they are doing something wrong.

featured image - You Can Hack People, Too: The Art of Social Engineering

People have been hacking devices forever. But humans have been hacking each other for even longer.

From phone phreaking to ransomware, most technical exploitations are quickly discovered and interdicted.

Your employees might be your company’s greatest strength, but they are also your network’s greatest vulnerability.

The perpetrator of a social engineering scam is an expert in human nature, using it to coax a target into revealing sensitive information. They might accomplish this through promises of friendship or romance or by misrepresenting themselves as someone with legitimate access to the information in question. That information could be anything from network protocols to your employees’ personally identifying information (PII) and, of course, passwords.

As technical network security has become more robust, many of the latest hacks rely on at least one element of social engineering, which has long been a feature of telemarketing scams, especially those targeting the elderly.

Employees may provide information to someone who successfully misrepresents themselves as a senior manager or IT department employee, a practice known as blagging. And not just companies are vulnerable to this kind of attack– so are the most secret government institutions, as demonstrated by the blagging-enabled hacking of a British intelligence officer’s laptop in 2012.

The Facts and Figures

One popular statistic floating around the Internet is that social engineering is responsible for 98% of cyberattacks. I wasn’t able to independently verify this “fact,” but anecdotally, social engineering is responsible for enabling an outsized number of attacks.

It’s also one of the network protection techniques that employees receive the least amount of training on. In fact, Bitdefender, a network security company, found that the majority of employees receive no social engineering awareness training, which undoubtedly contributes to the continued prevalence of network penetrations.

Social engineering works because we are victims of our own desires to be liked, respected and viewed as competent. Playing on these aspects of human nature enables a scammer to engineer risky behavior even when a network member knows they are doing something wrong.

Added to that, we, as humans, consistently overestimate our ability to spot liars.

The actual chance of us being able to correctly deduce if someone is lying is only about 50%-- the same probability that a flipped coin will land heads or tails, according to the American Psychological Association.

What Should Companies Do?

Network owners must prioritize including social engineering awareness in network security programs. That training should be conducted at least monthly, according to Defendify, which provides such training.

When hiring network security trainers, companies should seek those that include regular social engineering awareness in their programs. For companies that develop their own training, social engineering should represent a key pillar with ongoing refreshers to reinforce the importance of not falling victim to social engineering techniques.