One fun fact about me; before I got into technical sales and marketing, I was planning on pursuing a career in psychology. My path ended up diverging, but I am always interested in how psychology weaves its way into every sector of our lives, including the cyberworld.
A good cybercriminal is an expert at employing psychological tactics to get targets to perform a desired action, such as giving information, or access to a system. This process is known as Social Engineering. The average company is targeted through email and phone by over 700 social engineering tactics annually (at least 1 per day). Because this tactic is so prevalent, let’s dive into some of the principles of persuasion so you can recognize them before it’s too late.
The Principles of Persuasion
The Principles of Persuasion were coined by Robert Cialdini and they explore the factors that affect the decisions people make. These 6 principles are the main methods that malicious actors use to gain your trust and try to persuade you to take specific action.
Reciprocity Principle
The Reciprocity Principle operates on the idea that people value equality and balance. If someone buys you a birthday gift, you are much more likely to send them one in return when that time comes around. Cybercriminals exploit this principle by offering something that appears to benefit the target, or that is too good to refuse. The victim then feels a sense of obligation to return the favour, whether that’s giving personal information, clicking on a link, or executing some other type of action.
Scarcity Principle
The Scarcity Principle states that people place a higher value on products they perceive to be scarce or limited in supply. Malicious actors will attempt to create a false sense of urgency to get you to perform an action without thinking. Watch for things like “limited time offers”, fake deadlines, feelings of FOMO (fear of missing out) and enticing offers that come from unknown sources.
Authority Principle
People see individuals who are authoritative, credible, and knowledgeable experts in their fields as more influential and persuasive than those who are not and are more likely to feel compelled to trust them. Cybercriminals will impersonate authority figures such as managers or executives, target lower-level employees, and even impersonate emergency responders or senior officials during times of crisis in order to get the information they desire.
Commitment and Consistency Principle
People strive to be consistent with their identity and sense of self image. If you consider yourself to be an “active” person, you’ll be more likely to perform actions that are “active” such as running or biking. Cybercriminals exploit this bias by asking for simple, non-sensitive information at the beginning of the interaction, such as your job title or department. Once they’ve built rapport, they will move onto asking for more sensitive details, with you being more likely to be consistent and follow-through with their line of questioning.
Liking Principle
This principle states that people are more likely to be influenced by things and people they like versus those they don’t. Attackers use this principle by establishing friendly rapport with the victim, through compliments, or finding common ground such as sharing interests or hobbies.
Consensus (Social Proof) Principle
The last principle states that because humans are social by nature, we often look at others around us to see what they are doing before we make decisions. Attackers will use this tactic by claiming that your colleagues have already shared a certain type of information and will try to convince you to do the same.
How to Defend Against Social Engineering Tactics
Now that you know the principles behind social engineering tactics, you can begin employing the necessary steps to make sure you don’t get manipulated. One of the biggest things you can do is to verify all requests that come through email, text, or phone, especially if those requests involve sensitive data. Be skeptical of any information that urges you to act quickly and be wary of individuals who try to build rapport too quickly. Be sure to also train your employees to recognize the tactics of social engineers and conduct regular training sessions. Lastly, don’t underestimate the power of human instinct; if something feels off, then it probably is.
