Social Engineering

Person Holding on Door Lever Inside Room

While discussing security, it is worth mentioning the human factor and how it is exploited using social engineering techniques.

Social engineering takes advantage of persuasion techniques, that we can analyze thanks to the book “Influence” by Robert Cialdini:

  • Reciprocity: when you receive a gift you are more likely to respond in kind
  • Scarcity: when a product is scarce you are more likely to want it
  • Authority: people are more likely to follow indications by an authority figure such as a celebrity or a government representative
  • Consistency: if you can get someone to agree to something small first, then they’ll feel pressured to agree to something bigger
  • Liking: you are more likely to follow someone you like
  • Consensus: if many people do something, why don’t you?

Many types of attacks can be created using a combination of these techniques. The most common ones used today include:

  • Phishing, either in mass or spear phishing focused on small groups or individuals, taking place through any communication channel such as email, messaging apps, social media, SMS, phone calls etc.
  • Trojans sent as attachments through emails that look like sent by family members, friends, or trusted parties
  • Tech support scams, typically malvertising visible on malicious websites that try to convince you that your computer is infected and you need to pay to “fix” it

With the advent of AI tools like deep fakes and voice imitation, these types of attacks could become more convincing and therefore more widespread.

Social engineering can become difficult to avoid when the attacker takes advantage of resources already exploited. For example, if an attacker manages to use SSRF to send an email as from the CEO using the official company server, it’s more likely that an employee will follow the instructions.

Resources

Scroll to Top