Human hacking

“Hi is this John?”, “Yes!”, “My name is Martinez, I am calling from the DOJ……. currently there is an indictment out against you etc.….you sent money to xxx...they're involved with a terrorist group ...were are making sure you are not involved...we'll refer you to our lawyers ,,”,?and on and on it goes. This just a snapshot of an introduction to calls I have heard social engineers recite based on name, number and address they have gained. Many people easily submit to the sound of their personally identifiable information (PII) coupled with a well-organized conversation built on urgency, authority, consensus, or other techniques that push them to act awry. Many people have suffered, incurring losses never to be regained, and making mistakes never to be corrected.

Social engineering attacks are so effective that 98% of cybercrimes rely on the technique according to Purplesec.com. Cybercriminals often use this in many subtle ways to perform various impersonations. It is simply used to pray on the unaware by stirring hasty reactive behavior, and such is built one or more well-known tactical principles.

Authority : An engineer will usually try to sell the idea that they are a person in position of power or represent an organization of such. This immediately comes across to the potential victim as commanding, and they feel intimidated to act out of due course to avoid any possibilities repercussions for disobedience. How would you react to an email or a call that seems to come from a superior telling you to do something immediately? Unfortunately, many yield without question.

Urgency : An engineering threat also tries to gain information or access by manipulating individuals or staff to act on a sense of urgency. This may not necessarily involve the authority principle, but it used to highlight that action needs to be taken with immediacy in order to not miss out on something. This usually encompasses resolving legal issues, fake emergencies etc. Members of a staff may see this as technicians or other contractual personnel, who say they must do certain installations, checks etc. on time, or they won’t be back for the days or weeks to come. For instance, an employee may feel they have missed out on a certain piece information about visits and or maintenances with a service provider. They may be forward to accept the unverified claims if the engineer hastens them with technical jargon, and ideas of potentially huge impacts to essential daily services needed for daily operation (phone, internet, etc.). Surely nobody wants to be at fault for not getting a memo right?

Familiarity : Social engineers may not always use their cunning to create anxiety but they also engage in conversations to create false bonds. They strategically build feigned connections by referencing various hobbies and or interests, and this often proves fruitful as many may feel pressured to show their actions loyal to those they consider friends. Because familiarity also rests on the principle of trust, attackers usually get ahead when users bypass protocols all in the name of doing favors.

Scarcity : Social engineers also like to provoke the oblivious to believe that something is limited and must be secured ASAP. This principle also emphasizes the idea of a time constraint for seeming ‘once in a lifetime deals’ that are clearly fictitious. However, the idea of always getting that thing you wanted may be all you feel you need to know. This type of 'buying into it' approach usually sees victims losing much more critical information or money in the end.

Consensus : Creating a sense of consensus is, if not, the most effective amongst techniques used because it seems like a normal conversation. A threat can express a generally nice, harmless, and complimenting attitude to their intended targets. There simply seems to be no intents of hostility in view. They usually proceed to excite and charm their intended victims by making them the center of attention. Because validation seems important to many, attackers use this to stir impulsive actions and hasty agreements against privacy, security, and integrity.

Intimidation : Users may also be introduced to act unethically when human hackers use more extreme measures such as issuing threats. This may be accompanied with the authoritative tactic where a target may shouted at, placed on guilt trips, threatened or even blackmailed. Victims may generally be left feeling compelled, frightened or unsafe. The manipulation causes one to resort to what seems best for them to do in the moment.?

Cybercriminals are usually strategic when hunting information; such reconnaissance is usually continued by calls, emails, social media, and personal visits. Some of the notable forms in which the outlined principles are combined usually are embodied in Phishing, Tailgating, impersonations, dumpster diving, shoulder surfing or creating hoaxes.

Phishing usually appears as requests that have merit, and can range from convincing replications of internal or external company documents from reputable organizations such as banks, schools etc. The intent is to direct the unsuspecting to illegitimate websites, announcing that passwords or other personal identifiable information must be updated or confirmed. Unbeknownst to them, they are entering these values and giving up critical information.?Phishing can be considered one of the most versatile forms of reconnaissance and attack form, as it us used to target high profile individuals (whaling), and organizations or groups via email (spear Phishing), text messages (Smishing) and voice calls over the internet (Vishing). Vishing is known to be very effective because it allows communication in real time while providing the ability to spoof their calls. Some of the more common tactics used are inclusive of being flooded with junk email(spam), receiving instant messages on social media platforms (spim / spam over instant message), or having users visit dangerous websites due to commonly incorrect spelling (URL Hijacking/ typo squatting ex. Gooogle, googel..). A potential victim may also download corrupted free software or use hardware (eg. USBs) found in open places (baiting) etc. Some social engineers are known for slipping through secure areas by tailgating or piggybacking on others through checkpoints. This can be just simply a kind gesture such holding the door, gate, elevator, using access cards etc.?to give another unauthorized access to points of entry. Tailgating refers to someone being completely unaware of being followed while piggybacking has to some form acquaintance amongst those being given access. Attackers will not limit themselves to these methods only, but they may also create false situations/ emergencies (hoax). For exmaple a fire alarm may be pulled to creat panic while spanning access to many areas, while reducing suspicion and attention. Not all tactics requires a threat to be as bold, as one cansimply observe a user while they enter delicate information (shoulder surfing). Some are desperate enough to go through your trash to ascertain something substantial (dumpster diving) like dates, passwords, PINs etc. ?

Human hackers continuously emabrk on gathering or stealing information, because of this, users must be vigilant in their response. A kryptonite use to address this issue rests in the 3 V's; Verify! ?Verify! Verify! No matter how intimidating authoritative or trustworthy a person armed with information may seem, seeking the proper confirmation should be the innate response. Attempts to prove unverified claims with an individual or organizations usually scares off the engineer behind the bait. Clarifying memos can reveal that they never existed; validating promotions can show deceit, credential checking is usually left with unanswered responses etc. Beyond just mere diligence, suspicious websites, downloads, emails and messages in their various forms should be avoided. Allowing someone to tailgate and piggyback access should not be a practice, as well as the proper disposal of personal identifiable information must be properly enforced.

Tech criminals use social engineering as an extremely effective attack vector when misleading their targets. It mostly involves well organized and impromptus actions for the purpose of deceit. Regardless of the various tricks applied, it can be mitigated by properly verifying claims and assertions in all their forms and effectively reduce both quantitative and qualitative costs.?