Early in his book Influence, The Psychology of Persuasion, Robert Cialdini explains how the “cheep-cheep” sound of a turkey chick causes its mother to whirr into action. Upon hearing the distinctive sound, the turkey’s maternal instincts kick in without thinking.
Humans, of course, use much more complex mechanisms when it comes to decision making. Our brains have evolved to process countless eventualities before coming to a conclusion.
But in the epilogue of Influence, Cialdini poses an intriguing question:
Could it be that our superior mental ability has enabled us to create a world so complex, so fast paced, and so data heavy that often the only way to cope is by relying on immediate, impulsive decision making?
We’ve always had the ability to make in-the-moment decisions, of course. Yet might there be a danger that this kind of response is now becoming our default setting?
Cybercriminals for one have bet big on this being the case. And the fact that their phishing attacks are currently so successful seems to be reinforcing their confidence.
In this article we’ll explore the ways hackers are profiting from our evolving digital behaviors. And we’ll explain how you can protect yourself from social engineering.
Persuasion principles
In December last year, a man in Singapore received a text message that he thought was from his bank.
The sender of the message informed him that an unknown payee had been added to his account and that if he hadn’t added this person himself, then he should click on the link in the message to look into it.
After clicking on the link, the man landed on a website that looked identical to his bank’s. He entered his account details, thinking that by doing so he would resolve the unknown payee issue. Instead, he unwittingly handed over control of his bank account to bad actors.
For five years, he and his wife had been saving to start a family. In a matter of hours, all of their savings were lost.
Individual stories like this one highlight the true cost of cyber attacks. People’s lives and their plans to enrich those lives can be devastated in no time.
The story is also a good example of a social engineering attack.
When people think about cyber attacks they tend to think about complicated technology:
Attackers cracking cryptographic keys, for example, or reverse engineering an application and then releasing a fake version.
While these more technical attacks do happen, they still tend to need some kind of human interaction to succeed.
The bad actor has to convince his victim that what he’s asking of them is perfectly normal and fits neatly atop the foundational beliefs they use to guide their everyday actions.
This is social engineering.
In Cialdini’s Influence, he refers to six principles of persuasion that can be used to convince someone to do something. When he wrote the book he was thinking more about the tricks used in marketing and advertising than cyber attacks. But it turns out that these principles work just as well for hackers as a go-to guide for social engineering.
So, what are they?
The first is reciprocity. The idea here is that if someone offers you something or acts in a kind way, then you’ll feel compelled to do the same for them. In social engineering, this could be a bad actor offering something for free or making it look like they’re solving a problem for you, such as in the example from Singapore above.
Next comes consistency. Have you ever told someone that a particular belief or value is important to you? Chances are that after sharing this information with them, you’ll want to make sure your actions are consistent with those beliefs. Social engineers can tap into this trait by asking you to do something small to begin with and then following that up with a more substantial request later.
Another principle is consensus. As much as we might not like to admit it, we often tend to follow the crowd - that’s why reviews are so important on sites like Amazon. Bad actors can exploit this principle by tagging onto wider cultural and societal trends. The more everyone around you is behaving in a certain way, the less suspicious you’ll be of a text message that tells a similar story.
Liking is also an important factor when it comes to persuading somebody. You’re more likely to agree to a request if you’re fond of the person making it. This is why malware often hijacks the contact list on your phone. The thinking is you’d be less likely to scrutinize a message that comes from a friend and would simply click on the link without thinking.
During the early days of the pandemic, people felt a bit lost. They were reliant on advice from experts. Hackers were aware of this reality and looked to exploit the next persuasion principle - authority. We’re more likely to believe people in positions of authority on a subject. This is why we started seeing fake phishing messages pinging on our phones - supposedly from healthcare facilities - urging us to book a covid vaccine appointment.
The final principle is scarcity. It’s human nature to value something more when there’s less of it around. Attackers often try to exploit this in phishing messages by making it sound like you have to do something quickly before it’s too late. So, warning you that you’ll be locked out of your account in 24 hours if you don’t click on the link to fix the problem. This is a really common approach these days - hackers want you to make a decision in the moment without thinking seriously about it.
It’s easier to be tricked in a fast-paced world
Attackers use these persuasion principles to exploit the normal - and mostly decent - way that we live our lives. It’s the digital equivalent of you holding the door open for a tailgater. More often than not your automatic, unthinking belief that holding the door open for somebody is the right thing to do will supersede any suspicion you might have that the person following you through the door doesn’t work at your office.
Remember, all of this happens in a matter of seconds. But in the digital worlds we dip into each day, many of our reactions are even quicker. They can be measured in milliseconds.
In the epilogue of Influence, Cialdini suggests that the faster the world becomes - and the more information we consume - the more reliant we’ll be on immediate, shortcut responses. And as a result, he says, the number of attempts to trick us will also increase.
One can’t help but be reminded of his words when reading about modern social engineering attacks.
The thing is, Cialdini made his prediction in 2009. In other words, before the smartphone and social media had truly cemented themselves in our everyday lives and changed our behaviors so completely.
If we were coasting along a fast-flowing stream of data in 2009, then in 2022 it can sometimes feel like we’re trying to right ourselves underwater having been hit by a whitewater wave.
In the decade or so since Cialdini’s prediction, we’ve gradually come to associate the mobile phone with immediate responses. You make a quick retweet here, you like your friend’s Instagram story there.
You move from one in-the-moment, unthinking response to the next, while simultaneously doing other things - pouring a cup of coffee, walking to meet a friend, or jumping off at your metro stop.
These distracted moments are precisely when you might receive a text message that looks genuine at first glance.
In circumstances like these, it’s hardly surprising that attackers often seem to have the upper hand.
That’s certainly how Brenda K. Wiederhold - president of the Virtual Reality Medical Center - sees it in her paper, The Role of Psychology in Enhancing Cybersecurity. She thinks people are at a psychological disadvantage when faced with cybercrime. While this is sometimes due to a lack of information, Wiederhold also suggests that even when people do have sufficient information to recognize the risks, they can still be enticed by the prospect of instant gratification.
It’s as if thousands of likes and other social interactions over the years have given us a false sense of security on the device.
How can you protect yourself from social engineering?
Fresh examples of social engineering attacks appear almost daily.
There’s the employee at a water treatment plant being tricked into allowing an attacker to use TeamViewer to access the internal network and modify the chemical levels.
Then there’s the hacker conning a man into ceding control of a digital wallet and then stealing $1.4 million worth of NFTs.
The second example is simply one of many involving cryptocurrencies and NFTs, where it often feels like nobody is in charge and the rules are being made on the fly. It also aligns perfectly with Cialdini’s prediction about a faster, more distracted world being a world where we’re more likely to act impulsively and open ourselves up to being duped.
So, what’s the answer?
There’s no hitting the pause button (let alone rewind) on technological trends. Unless you plan to throw your phone off the nearest bridge, the only answer is to accept that there are people out there who are waiting for you to slip up.
This isn’t the first article we’ve written where we’ve advised you to be suspicious. And no matter how often we say so, it will always feel like a sad piece of advice to give. But it’s an absolutely essential trait for the modern world.
So yes, be suspicious. And if possible, try to slow down sometimes too. Whenever a text message pings on your phone, read the contents of it in the notification preview, and then put your phone down for a few seconds. Focus on the world outside of your smartphone screen - the wind blowing through the trees perhaps - and ask yourself: could that message be fake? Do I have a relationship with the company in question? If so, could I contact them directly to verify that what the message says is true?
The advice above is for individual mobile device users. But businesses also have a big role to play in educating users of their mobile apps. Banks are doing a pretty good job at this - especially neobanks - by telling their customers about social engineering scams to look out for.
But they can still do more. Offering this advice will appear hollow, for example, if banks don’t also secure their mobile banking application as robustly as possible to prevent other types of attacks.
The messaging about risks has to be consistent as well. Epic Games have their own - arguably valid - reasons for encouraging people to download Fortnite outside of the two big app stores. But this kind of advice can also lead to bad habits. After all, social engineering messages often try to get people to download a bogus app from a malicious website.
More than anything else, our advice for banks and other businesses would be to have empathy for your end users. Remember that in no time at all your end users have got used to managing a large part of their everyday lives by scanning, swiping, and scrolling a smartphone screen.
So, when you set out to design and develop a mobile app, don’t only think about the user experience. Think instead about how you can make sure their security is considered from when they download the app through to everyday use.