White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
SOCIAL ENGINEERING AND CYBER ATTACKS
The Psychology of Deception
Kevin Mitnick, reformed computer hacker-turned security consultant and author,
popularized the term “social engineering,” maintaining that it was much easier to
deceive a user into giving up a password to get into a system than to hack into it.
Today, social engineering is at the core of increasingly aggressive – and successful –
schemes to manipulate online users into disclosing crucial information or installing
malware. Digital “cons” such as phishing emails, are a primary tool of the social
engineer that target – and exploit – humans as the weakest link in the security chain.
In this white paper, we explore the psychology of social engineering and why it works,
provide examples of the latest cyber attacks that rely on social engineering, and
examine how education and awareness are crucial as part of the first line of defense
in diminishing the impact of social engineering-based cyber attacks.
The Psychology of Social Engineering
Social engineering is not a new concept. Today’s online social engineer is nothing more
than a con man who uses digital methods – such as email – to swindle people out of
passwords or to trick them into clicking on a malicious link that downloads malware onto
their computers or networks.
Social engineering tactics tap into strong human emotions such as fear, curiosity, even
greed as motivators to bypass even the most iron-clad security measures and gain access
to systems to steal identities, funds, information, and corporate and government secrets.
And, while there is no “technology” at play – social engineering uses no software or
“hacking” technology – don’t be fooled: social engineering tactics are sophisticated and
rooted in the fundamentals of complex human psychology.
In fact, we can draw on these fundamentals to gain a better understanding of how social
engineering works, beginning with the psychology of persuasion. Because persuasion is
such a pervasive component of our society, it is easy to overlook how external influences
affect our behavior. One only needs to consider how the constant barrage of persuasive
messaging in consumer marketing and television commercials, for example, fuels our
decisions on which products to purchase.
In social psychology, there are two alternative routes of persuasion that can be employed
when attempting to elicit a response from another: a central route to persuasion and a
peripheral route to persuasion1
The Social Engineering of Internet Fraud, Jonathan Rusch, US Department of Justice
–– A central route to persuasion involves being persuaded by an argument or the content
contained within a message. The recipient to listens carefully and thinks about the
–– A peripheral route to persuasion, in contrast, relies on superficial cues to persuade, for
instance, the apparent credibility of the source (a television commercial delivered by an
actor in a doctor’s lab coat), or a memorable tagline or phrase2
Cybercriminals rely on peripheral routes in order to persuade a victim into providing the
response they seek. Social engineering tactics use the superficial cues to exploit trust,
pique human interest, and evoke a strong emotion such as fear, curiosity, or excitement
that hinders the victim’s ability to think logically, and elicits an immediate response.
Beyond persuasion, attitudes and beliefs play an equally important role in online social
engineering. Attitudes and beliefs reveal trends as to the psychological motivation
behind a victim’s responses – and ultimately drive the type of tactics a social engineer
uses for a particular audience. For instance, consumers have attitudes and beliefs that
are different from employees. Each is driven by different motivators.
The social engineer must assess his audience’s attitudes and beliefs accurately and
customize his tactics in order to maximize impact. Often, criminals do extensive research
on a victim or a business prior to an attack to gather the most relevant information that
will ensure a response. Today’s trends in social networking, job sites and other online
sources reveal a astonishing amount of personal and corporate information that a
criminal can piece together to create a profile – and a targeted ruse – for a successful
Perhaps one of the most prevalent – and damaging – beliefs of typical online users is
thinking that they have nothing worth stealing. This popular misconception is one that
the social engineer counts on.
have shown that honesty is the characteristic associated most often with
providing an accurate message. Just as the superficial cue of an actor dressed in a
doctor’s lab coat in a television commercial, for example, sends a message of perceived
credibility, an email that’s addressed from a friend or legitimate business signals trust.
Reasonable efforts to scrutinize the message will be dismissed when the source of the
message is assumed to be trustworthy.
A standard social engineering practice is to make a message appear as though it
originated from a legitimate person or entity. By hijacking email accounts and sending
out phony messages to the victim’s contact list, criminals can make victims think that
these emails are from the actual email account owner. Friends and associates trust the
source, open the malicious links, and download malware to their computers.
Today, with the enormous popularity and growing use of social networking, social
engineers have extended this tactic to social networking sites. When users on a social
networking site receive a message from someone within their network with instructions to
view a file or video, those users are more likely to respond to the request since it appears
to have come from a trusted source.
“Social Psychology,” Brehm, Kassin, and Fein, 2002
“Source Attributions and Persuasion: Perceived Honesty as a Determinant of Message Scrutiny,”
Joseph R. Priester and Richard E. Petty, Personality and Social Psychology Bulletin, Vol. 21, No. 6
Figure 1: Screenshot of Fake IRS
Message Designed to Induce Fear
The Emotional Side of Online Social Engineering
Cybercriminals have begun to recognize the value of enterprise credentials and
proprietary information beyond identity theft. Today, as functionality and technology
move to new channels, so does fraud – and the types of online social engineering are
evolving to meet these new opportunities.
The use of social engineering to commit fraud is successful because it preys not on
technology, but on the inherent weaknesses of the human component. By manipulating
the human victim with messages that exploit his trust, pique his interests and desires,
and evoke a range of strong human emotions, social engineers increase the likelihood of
obtaining the response they seek – circumventing otherwise effective technology-based
security measures such as firewalls, encryption, anti-virus, spam filters, and strong
In the following examples, we examine some of the most common attacks that rely on
social engineering tactics – and the very “human” responses they invoke:
Fear or anxiety
The earliest phishing attacks attempted to create fear or anxiety in their victims as a way
to get them to divulge their personal details. Perhaps the most common method – still
used today in many different forms – is to imply that there is something wrong with the
user’s bank, credit card, or retail account. The urgent message in this scam states either
that unusual activity has been detected in the account, or that a failure to confirm
account information will result in the account being closed. The resulting fear or anxiety
compels the victim to click the link contained within the email, which, of course, directs
the victim to a fraudulent site and requests that the victim input account information,
passwords, and other credentials in order to remediate the artificial “problem.” This
information is then used by the social engineer to access the victim’s account – and
funds – directly.
Designed to trigger anxiety in the hearts of its U.S. victims, a spam email entitled “Fraud
Application” attempted to trick victims into believing that the U.S. Internal Revenue Service
had sent them a notice about unreported income (see Figure 1). The victims who fell for this
scam unknowingly downloaded a Trojan executable onto their computer which was capable
of capturing anything the user typed, including credentials to online accounts.
A similar scam targeted citizens of the UK, and was sent to English residents as a
message from HMRC (see Figure 2).
These types of scams are not just limited to consumers. A common attack targeting
employees within an organization alleges to be from the U.S. Tax Court inquiring about a
notice of deficiency4
. When the intended victims clicked on the link within the email, a
Trojan equipped with a key logger was downloaded to their computers, enabling the
criminals to see – and steal – anything the users typed, including corporate credentials
such as passwords to multiple, secured corporate systems.
Criminals are avid fans of social networking sites. They hijack user accounts to send
phishing invites to an account holder’s entire contact list, post poisoned links to a variety
of malicious sites, and send credible emails with malicious links – abusing the trust that
friends normally share. Some creative criminals have tailored messages to appear to
come from the social networking site itself, designed so that users will divulge their login
credentials or download a Trojan (see Figures 3).
Figure 2: Screenshot of Fake HMRC
Message Designed to Induce Fear
Figure 3: Screenshot of Fake Facebook
Update Message Designed to Abuse
Social networking sites are the least of one’s worries when you consider a spear phishing
email sent to a contact list inside a military base. The message called readers to confirm
their attendance of the General’s retirement party. The consequence of clicking the link?
An immediate Trojan download that compromised the PC, the user’s data, and all future
communications (see Figure 6).
Spear phishing scams affect the corporate environment as well. Would you have opened
and/or forwarded an email from human resources that contained employee salaries in a PDF
file (see Figure 5)? The PDF attachment, of course, was the clever cloak of a Trojan horse.
Human interest stories invoke an emotional reaction because they are stories people
can relate to. Often part of the evening news or magazine features, these stories present
people or situations that drive our curiosity or desire for additional information. Not
surprisingly, online social engineers use human interest stories to lure victims. One of
the more successful scams was the (fake) story of Michael Jackson’s death that allegedly
contained “secret” information for readers (see Figure 6). Notice that the link has an
executable extension – yet another direct link to a Trojan download.
Criminals also lure victims with interesting current-event stories featured on fraudulent
websites that mimic the look of well-known entities. In Figure 7, a social engineer has
replicated the CNN website which features a link to a video on Gaza City. Recipients of
the original phishing email that led to this site who clicked to watch the video would
have downloaded malware to their machines.
Figure 4: Screenshot of Spear Phish-
ing Message Designed to Abuse Trust
Figure 5: Screenshot of Fake HR
Message Designed to Abuse Trust
Relationship at Work
Another popular scam among criminals is the tax reporting scam which targets victims on
multiple levels and with multiple emotions. Tax reporting is a civic obligation; it is a
must-do and is in the victim’s “best interest.” The promise of a tax refund is a monetary
reward. And, of course, the message’s urgency evokes fear and anxiety. Tax reporting
scams continuously are phishing taxpayer portals in almost every G8 country, targeting
victims in countries including the U.S., UK, Australia, and South Africa.
In an HMRC phishing scam, victims were lured into divulging their online banking
credentials under the false pretense of being eligible for a tax refund. Victims who enter
their details and click “Search” unknowingly send their credentials directly to the
criminal’s drop server. While fake client details have been entered, the phishing page
still indicates the supposed refund amount of $431.10GBP (see Figure 8).
Figure 6: Screenshot of a Spam
Message Designed to Lure Victims
with Human Interest Story
Figure 7: Screenshot of Fake Video
Download Designed to Lure Victims
with a Current Event Story
Other spam messages linked with reward are designed to recruit money mules. In Figure
9, criminals looking to cash out money stolen from other victim’s bank or credit accounts
in specific geographies targeted people in that country with phony job offers often titled
“Money transfer agent” or “Transfer Manager.”
Education and Awareness: The First Lines of Defense
Consumer awareness of cyber threats has since grown considerably in recent years.
Despite increased awareness, users still continue to fall victim to cyber attacks. In 2010,
two out of ten consumers admitted to being the victim of a phishing attack5
. This increase
can be attributed to the advanced tactics and clever social engineering schemes that
criminals are using today. The number of phishing attacks is increasing as well. In 2010,
RSA witnessed a 27 percent increase in global phishing attacks from the previous year.
Figure 8: Screenshot of Fake HMRC
Site Designed to Lure Victims with
Figure 9: Screenshot of SPAM Email
Designed to Lure Victims with a Job
Offer (Mule recruitment)
RSA 2011 Workplace Security Report