Topics
- Technology and Cyber Risk
This article is a part of Risk Update 5.
The role of human cognition and effect of functional weakness for cyber security.
What is social engineering?
Social engineering is a cyber attack strategy that aims to exploit human psychological weakness by persuading the victim to act as intended by the attacker. The attack exploits weaknesses in human interactions, environmental and behavioural contexts, and can range from various forms, such as phishing, spear phishing and scams (some definitions to the right). A report by The Australian Cyber Security Centre (ACSC) also noted some alarming statistics regarding cybercrime affecting Australians throughout 2020-21 – most of the concern surrounding the rise in social engineering tactics such as scams (Australian Cyber Security Centre, 2021).
Phishing: A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person (NIST SP 800).
Scam: A sophisticated message, often using professional looking brands and logos to look like they come from a business you know.
Spear phishing: A colloquial term that can be used to describe any highly targeted phishing attack (CNSSI 4009-2015).
Whaling: A specific kind of phishing that targets high-ranking members of organizations (CNSSI 4009-2015).
Factors that increase the likelihood of a successful social engineering attack
In the context of human cognition, that is how we acquire and enact on our knowledge and understanding through thought and reasoning, it is useful to break down the internal and external influences which are at play during a cyber-attack. Montañez, Golob and Xu (2020) found that the below factors make one more susceptible to social engineering cyberattacks.
Internal
1. High Stress
If you can cause your target to tunnel-vision and hyper-focus on the message by tapping into high emotional charges such as urgency or fear, your social engineering attempt is more likely to succeed. High stress often leads to missing suspicious cues (e.g., unfamiliar email address or formatting errors).
2. Low Attentional Vigilance
Related to the stress factor, if your target is not paying as close attention to the subject matter at hand, whether due to time constraints or mundane, repetitive, and high-volume workloads, this lack of attentional vigilance may result in missing the same suspicious cues that hallmark a scam.
3. Infrequency of attacks
If targets are already on the defensive and are practising safe internet behaviours, constant and persistent barrages of cyber attacks are unlikely to result in success. Users who are aware of safe practices and are cautious of cybercrime cues will have higher attentional vigilance in the face of persistent attempts.
External
1. High Cognitive Stimulant
Message quality and message appeal both contribute significantly to increasing the success of a cyber-attack. Effort is required on the attacker’s end to implement urgency cues and visual deception to raise message quality, and to contextualise and personalise the message to increase its appeal. These are done by:
- Urgency cues: using a compelling call for action accompanied by extreme consequences to demand immediate attention (e.g., overdue bill or debt)
- Visual deception: logos, banners and other visual elements which make it difficult to distinguish from a legitimate source
- Contextualisation: creating credibility in the message and sender by associating with the target(s) on a common ground – a community event, social structure (e.g., friendships) and common beliefs
- Personalisation: incorporating personal data (e.g., names) to form the illusion that the attacker is a known associate
2. Infrequency of attacks
If targets are already on the defensive and are practising safe internet behaviours, constant and persistent barrages of cyber attacks are unlikely to result in success. Users who are aware of safe practices and are cautious of cybercrime cues will have higher attentional vigilance in the face of persistent attempts.
Strategies to better counter and defend against social engineering attacks
The below are four strategies you and your organisation can employ to reduce the likelihood of falling for a social engineering attack.
1. Increase suspicion and reduce trust
When using the internet, you should practice self-awareness by recognising when a scam email/message is triggering an emotionally charged response. Messages such as a debt which urgently needs to be paid, or an impostor on social media tugging for your empathy so you can authenticate on behalf of your friend should be treated with utmost suspicion.
2. Increase vigilance in everyday tasks
For companies or users who are dealing with high volume manual transactions, consider on a human level employing a cybersecurity program that enforces taking breaks or other means to recover attentional vigilance in workers. On a machine level, the same way social engineers have exploited artificial intelligence and machine learning to deploy phishing scams, there are interesting developments in the industry which aim to utilise the same tools to detect suspicious cues, to automate vigilance in midst of every tasks.
3. Increase knowledge of detection cues
Traditional cybersecurity training programs should not be overlooked but ensure that the content is influenced by the constantly changing cyber landscape. Understand the trends in attacker behaviour, motivations, and vectors, and educate users around how to detect cues in internet content that are malicious.
4. Increase exposure to (non-malicious) payloads
Within your cybersecurity program, you may also consider increasing the frequency by which you send non-malicious payloads to your employees, but also adding some sort of gamification of consequence matrix for how employees respond to the messages. The exposure will result in users gaining experience that is closely tied to some reward or consequence system. Consider also not notifying your employees that a phishing program is active – as this causes them to be consciously suspicious, an unfair head start.
References
Australian Cyber Security Centre (2021). ACSC Annual Cyber Threat Report 2020-21 | Cyber.gov.au. [online] www.cyber.gov.au. Available at: https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21.
Montañez, R., Golob, E. and Xu, S. (2020). Human Cognition Through the Lens of Social Engineering Cyberattacks. Frontiers in Psychology, 11. doi:10.3389/fpsyg.2020.01755.