Social Engineering: the human factor behind Cyber Crime

social engineering

Let’s admit it: it may have occurred to some people, the unconfessable desire of becoming a hacker. Maybe to solve a few problems and fix a few things, maybe to buy that dream house that is unattainable with your normal job. In short, to give one’s life a fresh coat of paint and then return to normal work.

Apart from having to deal with our conscience and the sleepless nights spent in fear of being caught, we have to face the reality that the hacker’s job is nothing but a joke.

One must be very well prepared: high technical skills and profound expertise in human psychology are required. The knowledge that revolves around the manipulation of the victims has been given an important definition: Social Engineering.

Social Engineering: Psychology and Technology

Social Engineering involves the study of human behaviour in order to manipulate and deceive people by focusing on their emotions. The aim? To exploit human weaknesses for their own benefit, in order to gain access to protected data and information.

This is a real psychological manipulation that acts mainly on certain levers such as:

  • subjection to authority;
  • social proof, i.e. peer pressure to encourage a certain behaviour;
  • feelings of sympathy and similarity;
  • the need to demonstrate commitment, reciprocity and consistency: people like, for example, to repay a favour;
  • haste and distraction;
  • greed, which often results in an inability to resist very convenient offers,
  • compassion and good feelings;

Given that each kind of cyber attack plays on a specific kind of human weakness, it can be said that social engineering runs through more or less all forms of cyber attack, and constitutes the humus on which the crime takes root and spreads.

Needless to say, the attachments or links where victims are directed, hide sophisticated mechanisms by which hackers install malware on the victim’s computer.

Every hacker aims at an emotional response

From the widespread phishing mails, to the more sophisticated Business Email Compromise (BEC), where the desire to do something pleasing to the boss is solicited; from the Contact form scam, which leverages on the anxiety aroused by the threat of legal action, to the use of the Covid pandemic in all its nuances (variants, Green Pass, etc.) to deceive the victim through the various emotions it arouses.

What ensures the success of the cybercriminal is always the instinctive reaction of the victim. That is, an immediate and response to provocation. If and when the thought arrives, it will already be too late.

Emotional responses are, in fact, those most deeply rooted in all of us. The use of persuasion and emotional manipulation in phishing campaigns was the subject of a study published by the American Psychological Society in 2018, in which “emotional arousal as a fraud tactic” was examined.

According to the research, the people examined made poor decisions by responding to both negative and positive messages of persuasion because “emotional arousal can influence susceptibility to misleading information”.  And this is precisely the behaviour that hackers expect.

The danger of this type of risk lies, therefore, in the human factor. A click, made with unconscious lightness and speed, can be fatal and drag the unfortunate person into a tangle of problems that need money and time to be solved.

How can one take care of this situation?

There are no special techniques or software that can protect us from this kind of attack. The only solution is continuous, up-to-date Cyber Security Awareness training. Increased awareness of cyber risks is necessary to recognise the deceptions that manipulate emotional responses.

Never, therefore, lose concentration on your own computer gestures and the consequences they may generate. And never fall behind in education and training. Only in this way will we make life difficult for hackers, who will have to look for another victim less prepared than us.