Social Engineering, which is the act of getting a target to take an action that might be beneficial or detrimental to them, is often referred to as Human Hacking. Its use is widespread and pervasive and goes back to the earliest origins of humanity as a species. Unfortunately, its detrimental forms are the bane of most cyber-attacks as tricking a human is often easier than attacking technology. Such attacks are made possible by exploiting certain psychological factors well known to students of human nature. These psychological factors are aspects of human personality in isolation and in interactions with others. Since malicious actors often exploit these psychological factors, our aim is to make them explicit enough to be easily understood to the point of fostering preparedness, so you can easily recognize and defend against them.
Following the lead of experts in the field1, these psychological factors that underpin social engineering attacks can be loosely grouped into five categories:
- Cognitive
- Emotion
- Social Psychology
- Personality and Individual difference
- Workplace
We will confine ourselves to seeking an adequate understanding of the first of these, while others will follow in later installments.
Cognitive Psychological Factors
Cognitive concerns the mind, it has to do with how the mind processes information. Likewise, these psychological factors are concerned with how an individual processes information including their mindfulness, decision-making strategy, knowledge, and confidence levels. The Cognitive Psychological factors to be aware of are
- Cognitive Miser
- Competence
- Overconfidence
- Absentmindedness
Cognitive Miser
A miser is one who seeks to expend as little as possible. In the realm of our thought lives, this is true for all of us at various times. We often seek to conserve mental energy in the face complexity or due to the busyness of life. On such occasions, we fall back on mental shortcuts or use rules of thumb. Doing such can help us take quick decisions and improve our overall efficiency but if left unchecked it can make us fall prey to manipulation. For instance, a devious fraudster can engineer a situation in which there is urgency, coupled with complexity of information. In such a situation there is every tendency that we might give into known mental shortcuts instead of doing the grueling task of thinking critically, thereby playing right into the fraudster’s scheme.
Competence
This has to do with a person’s knowledge and ability as it concerns existing and emerging technology. People who are very conversant with technology, have undergone security training and trust their abilities are less likely to fall for social engineering attacks. For instance, an elderly person who has little knowledge of technology and has never undergone security awareness training is more likely to fall for tech support scams than a younger technologically savvy user.
Overconfidence
While self-efficacy is indeed useful and necessary, having too much confidence or an overestimation of your abilities can be disastrous. This is because overconfidence often causes caution to be thrown to the wind and enflames risky behavior. For instance, overconfidence in your ability to spot a phishing email can cause you to fail to look at warning signs especially when faced with a well-crafted phishing email that looks legitimate on the surface.
Absentmindedness
This speaks to the popular phrase of being “present in body but absent in mind.” This occurs when you are doing something but thinking about something else. Absent-mindedness can be brought on by several factors such as stress, fatigue, difficult working conditions, emotional distress and so much more. The danger of being in such a state is that you can easily click a malicious link without even realizing it.
In conclusion, do take note of these Cognitive Psychological factors as they increase susceptibility to social engineering attacks. Apply countermeasures such as being conscientious, being organized and investing in activities that improve concentration. Try as much as possible to limit causes of distraction and when your interest is waning, take a break and resume the activity later. Also, have a good estimate of yourself, participate in security awareness training and do not use mental shortcuts when interacting with valuable information.
References
- Longtchi T, Rodriguez RM, Al-Shawaf L, Atyabi A, Xu S. Internet-based social engineering attacks, defenses and psychology: a survey. arXiv preprint arXiv:2203.08302. 2022 Mar 15.