Light Dark
October 19, 2017 By Rick M Robinson 3 min read
Fraud Protection

Even as the technology deployed by both cyberattackers and cybersecurity defenders grows more sophisticated and powerful, the central role of the human factor remains critical. The most effective way to break into a computer network is to trick a legitimate user into opening the door to let you in. The techniques used to achieve this trickery are known as social engineering.

These methods can range from the apparently simple and naive to the highly sophisticated, but they all rely on two basic, related facts about the human mind: We are very good at deception, and we are easily deceived. These traits come together to make us all too good at self-deception.

Deception Is a Daily Routine

According to Infosec Island, our capacity to deceive and be deceived is rooted in how the human mind processes the enormous amount of information that we encounter in daily life. On one hand, we are easily deceived because our brains rely on shortcuts to filter raw information, determine what is important and decide how to act on it. On the other hand, we become very adept at exploiting these same mental shortcuts to deceive other people from a very early age.

This deception is not just limited to malicious lying. Our social lives are full of so-called white lies, from thanking friends profusely for gifts we don’t actually like to giving the boss an overly flattering assessment of his or her latest project proposal. Social engineering draws on these same traits and skills.

The Three Principles of Deception

Nonmalicious deception, such as magic tricks practiced by stage performers, offers a useful window into how the human mind processes information and how it can be deceived. According to the Infosec Island article, these professional tricksters rely on the following three basic principles to mislead us:

  1. Misdirection or manipulation of our sphere of attention. A stage magician performs an action that catches our attention and directs it away from subtler actions that constitute the magic trick. As magicians say, the hand is quicker than the eye. Similarly, an email link containing an entertaining graphic, for example, could draw a phishing victim’s attention away from the identity of the sender.
  2. Influence and rapport. Put simply, we tend to trust people if they seem trustworthy. We trust those who, for example, share our opinions on anything from eating preferences to public affairs or make us feel as if we know them. The social engineering tactic known as spear phishing — making malware-laden emails look as though they came from a friend or colleague — exploits this characteristic.
  3. Framing and context. How we respond to information depends on the circumstances around it. For example, spear phishing attacks often generate false security alerts to frighten potential victims into complying with instructions such as “enter your username and password.”

Mitigating Modern Social Engineering Schemes

Because our ability to deceive includes self-deception, we are all too ready to trick ourselves. The classic Nigerian widow email scam of yore, though outwardly naive, exploited all of the above principles as well as self-deception. An offer of money is always an attention-grabber, distracting social engineering victims from wondering why the widow would make a monetary offer. The widow’s apparent generosity builds influence and rapport, and the surprise of hearing from someone in a distant country establishes the context of something special and unusual — a secret shared between “widow” and recipient. Finally, the elements of flattery and greed encourage us to fool ourselves into thinking that someone would really choose to send us all that money.

Modern social engineering techniques have moved far beyond these old-time scams. Spear phishing attackers can examine our social media profiles to gather names and details to make emails look legitimate. Fake security scams exploit our genuine fear of cyberattacks to trick us into leaving ourselves open to one. But by understanding how social engineering works, we can train our mental shortcut mechanisms to be more wary. Awareness of the power of deception is the first mental step toward fending off social engineering schemes.

 |  |  |  |  |  | 
Rick M Robinson

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature