An experiment, conducted in 1963 by Yale University psychologist Stanley Milgram, aimed to measure the willingness of participants to obey an authority figure who instructed them to perform acts conflicting with their conscience. The results were unexpected. Milgram’s colleagues, peers and students predicted less than 1 percent of the participants would willingly do so. They were shocked when a large number obeyed the authority figure, although reluctantly.
This is “social engineering” – the use of deception to manipulate people to do what we want. Milgram’s study shows how authority can be used to manipulate people to do something they wouldn’t normally do. It is one example of a persuasion technique. While hackers use many techniques, I want to discuss two of the most common, how they’re used for manipulation and ways to prevent their success.
The end goal of a hacker isn’t to gain access to your system. That’s just a means to an end. Hackers typically strive for monetary gain or tactical advantage via extortion, intelligence gathering or exfiltration of sensitive data. With today’s security technology and expanding number of security professionals, hacking systems has become difficult. That’s why the human element gets exploited. It’s easier to “trick” people to willingly give passwords, money transfers, etc. than hacking a computer.
The authority technique is often used in email scams. The attacker impersonates someone within a company, such as the CEO asking for a transfer of money. This is the same technique used by scammers claiming to be a utility company demanding payment for an unpaid balance.
These attacks leverage our willingness to submit to authority and comply with the rules. That’s why these attacks are effective. The easiest way to overcome this is to verify, in person or on the phone, with the actual person perceived to be making the request. In other words, visit that representative or company in person or hang up and call them using a researched and verified phone number.
You can find the “conformity technique” used on social media. The attacker creates a false profile on social media and will make it appear realistic with many posts, likes and mutual friends. By building trust, people are more likely to click on a shared link, especially if everyone else is doing it. Ever wonder how “fake news” spreads so quickly?
As likes and shares increase, the more views the post gets, and that view count can be artificially inflated using false accounts. This is harder to overcome, especially if the hacker is a good impersonator. Watch out for “friends of friends.” Only trust people in your immediate circle. Watch for language that seems off or not typical of how that person normally behaves. When in doubt, don’t click links.
Hackers use many other techniques. “Reciprocity” is where compliance results in rejecting the first request and then accepting a moderate alternative. “Commitment” occurs when a person begins a cycle by complying with a small, insignificant request and then continues to comply with larger requests. The different techniques are often used together in more advanced attacks.
Regardless of the manipulation method used, the best way to stay safe is to verify with a live person. Remember, never use a website or phone number given to you in an email or by a caller. Always verify it yourself. If you can’t connect with a live person, chances are the request isn’t worth your time or interest.