What social engineering is and how to protect yourself from it

Ruslan Rakhmetov, Security Vision

News about citizens defrauded by fraudsters appear with frightening frequency: people tell attackers their passwords and SMS codes, lose their savings, take out loans, commit acts of vandalism under the influence of various psychological manipulations. At the same time, the tricks and techniques of attackers are known, and they are regularly reminded of them by banks, mass media, government services, and law enforcement agencies. However, the number of victims of fraudsters does not decrease - neither social advertising nor anti-fraud systems of financial institutions help.

Often awareness of what happened comes to the victim only after he or she has lost all the money or committed an offence on the instructions of the attackers - many people describe their state at the time of the attack as hypnosis, in which critical and rational thinking seemed to be switched off. The psychological manipulation and neuro-linguistic programming techniques employed by modern cyber attackers are well known to experts in cognitive and social psychology. In fact, the only innovation of digital fraudsters is the use of modern methods of communication with victims (email, messengers, video calls), but the basis for social engineering attacks is still the same - cognitive distortions and social attitudes inherent in many citizens, which we will discuss in this publication. To understand the characteristics of social engineering attacks, we will look at some of the psychological characteristics of attackers and victims, analyse the technical methods used by attackers, and provide recommendations for protection.

So, cyberfraudsters, as well as other criminals, may have violent or self-serving motives: in the first case, attackers feel satisfaction from causing suffering to the victim, in the second case, they deliberately choose criminal ‘earnings’. In terms of psychological characteristics, cyberfraudsters may be characterised by psychopathic personality traits, such as a lack of empathy for victims, a tendency to lie, and an inability to repent. According to some psychologists, a characteristic feature of psychopaths is a reduced ability to empathy (empathy, compassion), which is regulated by a special brain system of mirror neurons; in addition, it is assumed that psychopaths can independently control this feeling.

The use of modern means of communication (‘virtualisation’ and remoteness from the victim) and work in a criminal group (thousands of ‘callers’ work in fraudulent call-centres) give fraudsters not only a false sense of their own safety and unattainability for retribution, but also mitigate possible negative emotions from committing a crime: according to the results of Stanley Milgram's famous psychological experiments, the attacker's remoteness from the victim and hierarchical subordination to the ‘head’ of the call-centre reduce the level of possible moral and emotional distress. In addition, fraudsters continuously improve their skills: they learn to ‘read’ the victim (cold and hot reading methods), improvise, speak in a confident tone of voice and use specific vocabulary appropriate to the chosen model of deception (‘bank security service’, ‘police’, ‘mobile operator’, etc.). As a result, we get a portrait of a typical fraudster: the ability to understand people (including by voice alone or by photos and posts from social networks), a well-trained tongue, a tendency to lie, unscrupulousness and cynicism, and the perception of their fraud as ‘work’. In addition, cybercriminals and fraudsters have no remorse and believe that the people they defrauded are to blame for what happened because of their gullibility and suggestibility.

Victims of digital fraud and cyberattacks using social engineering methods range from pensioners and housewives to civil servants and even members of law enforcement agencies. It can be argued that no one can be immune to a social engineering attack: even the most attentive and prepared person may be too tired or busy at the time of the attack, be inattentive, or succumb to the attackers' tricks. Consider the basic social attitudes and cognitive distortions that are common to many people and are used by attackers.

Social attitudes are patterns of human thinking and behaviour that are formed with life experience under the pressure of society, which dictates the norms of socially expected and approved behaviour. Social attitudes, on the one hand, allow the formation of a set of uniform rules of behaviour and interaction in society, which improves the stability of society, and on the other hand, develop social ‘acquired reflexes’, which abusers use for their purposes. For example, such attitudes can be:

- Trust in people in uniform and business clothes - doctors, policemen, bank clerks;

- Trusting those who should have a better understanding of a specific issue - employees of government organisations, tech support specialists;

- Obedience to managers and civil servants, especially if callers introduce themselves as ‘big bosses’ and show ‘certificates’ and ‘official documents’;

- Striving for politeness - answering incoming calls, not hanging up first, not asking for the caller's title and name;

- Striving to be law-abiding - unconditional compliance with the instructions of those who present themselves as law enforcement officials;

- Striving to be consistent in actions and decisions - having started to ‘cooperate’ with those who introduced themselves, for example, as police officers, it will be inconvenient for a person to abruptly change the line of his/her behaviour and refuse further communication with them.

Cognitive distortions are deviations from rational thinking, perception, behaviour, which are automatically used by human consciousness in cases of information overabundance, lack of knowledge, the need to react quickly, memory limitations and peculiarities of remembering. To date, psychologists know more than 100 types of cognitive distortions, but attackers actively use only some of them:

1. framing effect: the form in which information is presented influences its perception. For example, scammers who lure people into a pyramid scheme with promises of fabulous profits tell only about the winnings and talk about them as a guaranteed result, but do not mention the associated risks.

2. priming effect: a person interprets new information depending on previously received information. For example, if a person receives a phone call from someone on behalf of his/her direct supervisor and warns that a ‘police officer’ will soon contact him/her, the victim will expect this call and become less critical of the fraudsters' further instructions.

3. Tendency to confirm one's point of view: if a person is convinced of something, he will interpret incoming information in favour of his conviction, disregarding contradictions. For example, if fraudsters have led the victim to believe that there are ‘spies’ among bank employees and that they will prevent him from transferring his money to a ‘safe account’, then when interacting with real bank employees, the person will not listen to their warnings, believing that they are preventing him from ‘saving’ his savings.

4 The Rosenthal effect (Pygmalion effect, self-fulfilling prophecy effect): expectation of any events sets a person up for behaviour that leads to the realisation of this expectation. For example, various fortune-telling, esotericism and astrology form a person's expectation that a ‘prophecy’ will come true in the future, so he/she changes his/her behaviour already now in such a way that these ‘predictions’ really start to come true.

5. Barnum effect (Forer effect, subjective confirmation effect): people highly appreciate the accuracy of a rather general description of a person, created ostensibly specifically for them. For example, various horoscopes and fortune-tellers give a person a fairly general description of character traits that are common to most people, so they have a higher statistical probability of being consistent with expectations.

7. the Concord effect (escalation of involvement, irrational reinforcement effect): a person remains faithful to his past behaviour and follows the decisions made earlier, even if it becomes obvious that they were wrong and do not lead to success. For example, fraudsters may insist on transferring more and more money to ‘safe accounts’ and force the victim to commit offences (vandalism, hooliganism), explaining their new demands by saying that ‘there is only a little bit left’ and soon all their promises will be fulfilled. The victim may think that since so much has already been done (all savings, loans taken, and money from the urgent sale of a flat have been transferred to the swindlers), the remaining demands must be fulfilled in order to finally ‘finish the job’.

Of course, in addition to social attitudes and cognitive distortions, attackers exploit a lot of features of the human psyche - we have already written about this earlier.

Attackers use various methods of obtaining initial information about the victim, which helps them to present social proof and gain trust: for example, if the caller introduces himself not just as a ‘police officer’ but as a district commissioner for the area where the victim really lives, the probability of successful implementation of the fraud increases. Methods of obtaining information about the victim can be:

- Cold reading method: determination of approximate age, sex, financial status, psychotype of a person by appearance, voice, manner of conversation;

- Hot reading method: determination of approximate age, gender, financial status, psychotype of a person by the content of posts in social networks, published photos, correspondence in mail and messenger (if they have been previously compromised on the sender's or recipient's side);

- OSINT (Open Source Intelligence): gathering information about the victim from publicly available sources, such as the official website of the employing company, searching the Internet and government web services by name and phone number, analysing social media pages, identifying business and family connections, and analysing published photographs. Illegal databases, which are often formed on the basis of large personal data leaks, can also be used, as well as ‘piercing’ services available on the Darknet, i.e. obtaining information about the victim through insiders in banks and telecom operators. Deep OSINT analysis of the victim is usually used by motivated, advanced cybercriminals - simple fraudsters only need to obtain some fragmentary information about the victim, for example, by hot reading.

The following methods can be used to defend against attacks by fraudsters and cybercriminals using social engineering techniques:

1. Increase your knowledge of the tactics and techniques of attackers, the psychological manipulations they employ, and the sources of information used about potential victims.

2. educate employees, colleagues, relatives and acquaintances: tell them about methods and tricks of attackers, about probable sources of information that can be used in social engineering attacks. It is important to explain that vigilance is never unnecessary, especially in the current environment of a sharp increase in the number of frauds: for example, it would not be impolite or excessive to call your manager back if you receive strange information or a call from him - by doing so you will emphasise your responsibility and prevent possible fraud on behalf of your boss.

3. Develop a default distrust of all incoming information - calls, messages, emails. It is important to realise that the displayed phone number can be spoofed, the sender's email can be hacked and written from, and voice and video images can be generated using dipfake technology.

4. To develop critical and rational thinking, to be guided not by the opinions and emotions of others, but by independently verified facts and one's own understanding of phenomena.

5. Form a plan of action in case of probable social engineering attacks: discuss with colleagues and relatives how to check incoming information, methods of backup communication (in case the usual method of communication is unavailable), agree on code words (use a pre-selected word to confirm the authenticity of the caller's identity), write down the phone numbers of banks, government agencies and police.

Finally, we can recommend the following reading list for a deeper dive into the subject area:

- Daniel Kahneman - ‘Thinking Fast and Slow’ (in the Russian-language edition the title is translated as ‘Think Slow... Decide Fast’);

- David Myers - ‘Social Psychology’;

- David Rock - ‘The Brain. Instructions for Use.’

- Robert Cialdini, ‘The Psychology of Influence.’

- Paul Ekman - ‘The Psychology of Lying’.