The Vulnerability Within
Our subconscious, what I like to call the “human cache”, however un-engaged we think we are with it, is actually a gold mine to the average social engineer. According to social-engineer.org, social engineering (SE) is a blend of science, psychology and art. While it is amazing
and complex, it is also very simple. Chris Hadnagy defines this as “Any act that influences a person to take an action that may or may not be in their best interest.”
Whether we choose to accept this or not, we are a walking, breathing bank of information. Protecting this information does not end with physical security measures such as biometrics, locks and keys or even security clearances.
We often go through the identification and authentication processes of using our credit/debit cards to make payments by inputting our pin and password over and over again. This process gradually slips into the human cache and subconscious, and through constructive social engineering, an “insecure mind” tends to give away this information unknowingly.
You are probably thinking “there is no way I would give a stranger my login credentials or credit card details”. This is partly true, however, it might be as simple as your name, date of birth, place of work or that phishing mail telling you to “click here”;information that can be pieced together to guess your password.
Let’s take a name for instance – Fred (a disguised social engineer) walks up to you for the first time, you and Fred become good friends. There is something about his non-verbal behavior, body language, facial expressions, tone of voice; all these things have a psychological effect that makes you feel comfortable with him. He asks for your phone number, name, surname, address and social security number. We rationally see this as wrong and our brain probably tells us that, but the psychology of social engineering in actual sense is a mind-brain ploy, where your rational cognition ends. The mind however where emotions reside is engaged without us knowing. How?
Often times, we mirror the emotions we see in other people and this is subconscious! Walk into a room where people are laughing, your mood lightens up, gradually you become happy, Walk into a sad room where everyone is crying, you get sober, smile less; even if you don’t notice or understand the psychology. Fred does and he exploits this by using his body language to portray an emotion that he wants you to feel. Once this is done, you might then begin to think, “how harmful could it be anyway”?
In addition to this, We have seen commercials where the music gets really sad, a woman is on TV, behind her are starving children, children with empty bowls, dirty-covered, tattered and ripped with flies around. Then they make a request – now the music has made you sober, the children’s faces show sadness and stress, the kids look tired and really hungry, all of this affects you .Now, you can do something about it, if you can just donate $19 – they now show pictures of these children smiling and happy. You know and feel within yourself that you can make this happen, you can make these kids smile.
This is an example of the kinds of emotional hijack Fred has twisted unknowingly to you that makes you succumb eventually to his social engineering tricks —a play on your psychological insecurity. This might sometimes not always be to steal information from you, it might just be to push you into investing in something you probably would not invest in – losing money to scams.
A SECURED MIND
So how exactly can I stop being the victim? Jonas Borchgrevink, the founder of hacked.com said “Employees are and will always be the biggest security risk”. We cannot control our subconscious or emotions or know when exactly someone is lying, this is and would always be a vulnerability, the vulnerability within.
However, there are ways to be steps ahead.
- Embrace healthy skepticism: Try to be as vigilant as possible and question everything. Being aware of the common tricks that hackers use can make you better prepared. Go online, read up past hacks and try to learn from their mistakes.
- Access the threat level: Try to access the threat level, motive or the big picture behind the people in your life. You cannot always be at your 100%, but you want to be sure that when you are not, the people around you have your back and are not seeking to exploit the information you possess.
- Confidentiality: Do not give out any confidential information about you or your company even when you think it is unimportant or non-confidential – whether over the phone, online, or in-person. Only do this when you have first verified the identity and authenticity of the person asking and the need for that person to have that information. When you get a call from your bank saying there is an issue with your bank account. Say okay, you will call them back, and then call the number on your credit/debit card or walk into any branch office. The same applies to receiving suspicious emails or SMS messages from your bank.
Social Engineering is a very real threat and is indifferent to whoever you are or whatever department you work in in an organization. Data is the new gold and we live in a data-driven world. It is not too much to take necessary precautions. Remember, we only win when we win together.
Author: Orji Emmanuel