Skip to main content
Psychological principles

The Psychology Behind Social Engineering 

By February 13, 2024No Comments

Cyber security isn’t just about computer systems and networks, the people who use these technologies also play an important role. Most ransomware attacks begin with the human factor – social engineering. A recent threat monitor assessment indicates that nearly one-third of employees fall victim to social engineering attacks. Malicious actors exploit human emotions to lure the unsuspecting victim into sharing sensitive personal or professional data. These scams are usually all over the news and most people are familiar with these attacks. So, why are they still effective? Let’s explore some of these tactics to uncover the psychology behind social engineering.

The Psychology Behind Social Engineering

Social Engineering and Human Emotion

Social engineering can be described as influencing someone to take an action that may or may not be in their best interest. Malicious actors use emotions as a social engineering tool, to persuade their victims to take an action they normally would not. Falling victim to this type of attack does not indicate lack of knowledge or intelligence. For instance, in a recent adversarial simulation conducted by Social-Engineer, LLC (SECOM), even cyber security professionals disclosed sensitive information during a vishing test. Why are these attacks effective even when targeting professionals in the field? It all comes down to the impact that emotions have on human behavior. For example, malicious actors use influence techniques to trigger strong emotions such as fear. Triggering an “amygdala hijack” or a reaction which overrides logic-based thinking. This leads a person to take an action they normally would not. Here are some examples:

Fear

Fear is an unpleasant, often strong emotion resulting from anticipation or awareness of danger. Malicious actors commonly use fear to manipulate their victims because it is one of the most powerful human emotions. In addition, fear is easy to elicit. For instance, imagine receiving a phony email that says: “Attention. Fraudulent activity has been detected on your account. Change your password now.” How would you feel? Another much more fearful attack is a “virtual kidnapping” scam, in which the victim is told that a loved one has been kidnapped. Through deceptions and threats, the bad actors coerce the victims to pay a ransom.

Greed

The Cambridge Dictionary defines greed as “a strong desire to get more of something especially money.” Greed is part of being human and, for this reason, social engineers find it to be a very successful tool. An example of this is the “419 Nigerian scam”. Cybercriminals pose as wealthy foreigners, via phone or email, in need of help moving millions of dollars from their homeland. They promise a hefty percentage of the fortune as a reward in exchange for a small sum. Moved by greed, the target shares their bank account information thinking they will receive the reward.

Helpfulness

From a young age, most of us are taught to be helpful and obedient in order to be perceived as a good person. Malicious attackers can exploit this willingness to help others. For example, threat actors often target new employees for their willingness to be helpful and excel in their new job. In most cultures we are taught to obey superiors and authority. So, when a person in a position of authority makes a request, few will challenge the validity of it. Knowing this, bad actors may impersonate the boss via a phishing email requesting a favor that needs to be handled quickly. This “favor” may be a request for financial (gift card, account numbers, etc.) or other sensitive information (login credentials, corporate information, etc.).

Urgency

In most cases, a social engineering attack will include the component of urgency. A sense of urgency can get the victim to act before they think. Examples: There’s a suspicious charge in your account that needs your prompt attention; or you receive an urgent request from your boss, who you can’t reach at that time.

Curiosity

Curiosity is another technique used in social engineering. The attackers promise something of interest or advantageous to deceive the victims. This type of attack could be as simple as sending an email stating “Your Amazon purchase for the amount of $800.00 is ready to ship. Click here to view your order.” This type of email or text may trigger the curiosity of the target, who may feel compelled to click on the link.

Principles of Influence

In addition to using human emotion as tools to manipulate their victims, criminals are also masters at implanting principles of influence. Some of these may include reciprocity, commitment, social proof, authority, liking, and scarcity. The more we learn about these psychological aspects that affect us the more self-aware we can become. Whenever you feel that you’re taken over by strong emotion, whether triggered by someone, something, or a situation, take a step back and give yourself some time before you act.

Psychology is at the root of social engineering. However, understanding human behavior and implementing principles of influence are not just for criminals or to be used for nefarious purposes. Learn how to understand the science behind the psychological, physiological, and artistic, aspects of human communications by attending our upcoming Foundational Application of Social Engineering (FASE). This interactive 4-day course focuses on the aspects of human decision making, and why it is important to understand these mechanisms. Whether you are coming as a manager, sales person, adversary simulator, parent, instructor, or any other role you may have, FASE will help you see how you can benefit from this knowledge in your career and in life.

Written by:
Rosa Rowles
Human Risk Analyst at Social-Engineer, LLC

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now