October 2008   
 
 

BUSINESS INSIGHT: ANTI-THEFT

How Cybercriminals Use Social Engineering to Fool Us

By Karthik Raman,
Research Scientist, McAfee® Avert® Labs

It seems like we hear about a new exploit or cyber scam almost every week. Most of our efforts are directed at defeating these kinds of attacks, but we rarely ask the question of why they seem to work so well. However, research on the psychology of security can give us some clues.

Well-known security expert Bruce Schneier has been studying the intersection of behavioral economics, neuroscience and the psychology of risk and decision-making to help explain why our feelings of security and our reality is sometimes out of sync. What he found is that parts of the human brain governing emotions and reason do not always work in harmony. Often, an oversimplification of our reasoning can lead to a false sense of security. The oversimplification takes place as a kind of mental shortcut, or heuristic, and social engineers try to manipulate our behavior by taking advantage of these shortcuts.

So, when cybercriminals design attacks that feed into our oversimplification of reasoning, or “cognitive biases,” as these mental errors are sometimes called, they are actually acting as social engineers.

And, unfortunately, cybercriminals have quite a few cognitive biases to take advantage of. Here are some of the most commonly exploited biases:

  • Confirmation bias –This bias relates to the fact that people interpret information in support of their existing views. So, say you are a regular eBay user, and you are accustomed to receiving and responding to emails from the company. If a cyber scammer sends you an email purportedly from eBay saying that you need to reconfirm your PayPal account details, you may fall for the trick because your confirmation bias tells you that it is normal to receive emails from eBay and it is a trusted source.
  • Anchoring–This occurs when a person makes a decision based upon an identifying trait. So, when you go to a site that displays a familiar logo, you are likely to believe in its authenticity, even if other signs don’t look quite right.
  • Exposure effect–This bias takes advantage of how familiar we are with certain subjects, people and things. The exposure effect is what causes many people to fall for event-related scams, such as emails asking for donations following a natural disaster. Our exposure to news of the event makes us more likely to believe that the email is legitimate.
  • Choice-supportive bias–If a person has chosen something in the past, they are more likely to have positive feelings about it. This bias can be exploited by a cybercriminal by offering people online offers or products similar to ones they have selected in the past but with an unfortunate surprise attached in the form of malware.
In addition to biases, people are also prone to social errors or judgments that social engineers like to take advantage of. These errors include assuming that others are as stable and reliable as they are because this picture of reality—or “schema” as social psychologists like to call it–reflects their own condition. This kind of false judgment is called a “fundamental attribution error,” and it is often exploited by cybercriminals to elicit trust. Say, for instance, a down-on-her-luck grandma writes you to say that she has lost all of her retirement savings in the recent market crash and she needs your help. She includes a photo of her family, which looks as wholesome as yours. Don’t you want to believe that she is trustworthy (even though in reality “grandma” is really a cyber scammer)?

Another error of judgment that social psychologists like to talk about is the “salience effect,” or our tendency to base decisions on who stands out the most in a group. Because we are looking for the people that seem the most important or influential, we often overlook people who blend in. This is why social engineers love to conceal themselves by being average or uninteresting. A social engineer who is trying to break into your workplace may pose as a repairman or custodian, and victims often fall for the ploy.

Along with these specific types of errors in judgment, people also seem hardwired to respond to calls for conformity, compliance and obedience, and social engineers can use this knowledge to pressure victims to comply. So, if a scammer calls you saying that he is with your bank and needs to confirm your account number, you may feel obliged to give it to him if he says things such as “I’m just doing my job–don’t make this hard on me.”

While we can’t change how our brain processes emotions and judgments, acknowledging our biases and mental errors can help us catch ourselves and keep us from falling for cyber scams. In fact, we can use the exposure effect–or tendency to like things that are familiar to us–to educate ourselves against these biases and scams. The more we know about how they work, they more we may want to work to thwart them.

You can read more about social engineering and cybercrime in my article “Ask and You Will Receive” in the fall 2008 version of McAfee Security Journal.

 
 

 

Useful Links
Recent articles
Send to a friend
Add me to the newsletter list
Change my subscription to text
 



         
 

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee Inc. and/or its affiliates in the United States and/or other countries. McAfee red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

Copyright 2007 McAfee, Inc. All rights reserved | Privacy Policy | Anti-Piracy Policy | unsubscribe