Dishonest, Evil, and Extremely Effective: Why Social Engineering is a Big Problem for Businesses
Imagine you’re about to enter an apartment building with a secure entrance when you hear someone call out:
“Hey! Can you get that for me?”
You turn around and see a woman holding what looks like thirty grocery bags. She smiles apologetically. She doesn’t look like a serial killer. She looks like a nice woman who could use some help.
“Sure!” you say. After all, you’ve got a heart.
Now, usually, this sort of thing is harmless. In fact, our innate kindness as human beings – our tendency to help each other out – is the glue that holds society together. If we all rigidly followed rules – like not holding open the door to a secure entrance – the world would be a much colder, bleaker, and meaner place. And yet…
When it comes to cybersecurity, the “better angels” of our nature can be our undoing. It’s our tendency to trust – to be polite, kind, helpful, etc. – which makes us so vulnerable to a particularly pernicious type of cyberattack known as “social engineering.”
In this blog post, we’re going to discuss what social engineering is, why it’s so effective, and what businesses can do to protect themselves from social engineering scams. This is info that could literally save your livelihood.
Social Engineering Defined
First, let’s define social engineering:
Social engineering is a strategy used by threat actors (hackers with bad intentions) in a wide variety of cyberattacks. It involves tricking people into giving up confidential information (e.g., passwords) or doing something they shouldn’t. Social engineering is a way to breach security without hacking computers directly; instead of technical tricks, it uses things like charm, deception, intimidation, and persuasion.
In short, social engineering is when humans hack humans to breach IT systems, instead of hacking computers directly.
What makes social engineering so devastatingly effective isn’t one thing; it’s three:
Social Engineering Exploits Human Nature…
A social engineering scam manipulates people using their own psychology. Just watch this 6-minute video) released by Conflict International to see how clever an experienced hacker is when it comes to using our emotions against us (in this case, the hacker – an ethical hacker who uses her skills to educate rather than harm – elicits sympathy and, in turn, cooperation).
The fact that social engineering exploits our very nature makes it powerful because we can’t just change our nature – if we could, it wouldn’t be our nature! Unlike an unlocked door, which can be remedied with a lock, the vulnerability that social engineering takes advantage of isn’t something we can simply ‘fix’ – not without rewiring our brains at least!
Social Engineering Bypasses Many/Most Technical Barriers…
Because social engineering targets human beings instead of IT systems directly, it can easily bypass most cybersecurity tools as those tools are only as strong as the people in charge of them. The late great Kevin Mitnick – the man who will appear at the top of your search results if you google “world’s most famous hacker” – said this about social engineering:
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.”
Frank Abagnale, whom Leonardo DiCaprio portrayed in Catch Me If You Can, had a similar insight about social engineering:
“There is no technology today that cannot be defeated by social engineering.”
We’ll circle back to this idea that social engineering can defeat any security tool, but for now, just note that social engineering derives much of its effectiveness from the fact that it’s a way around technical barriers. Think of it this way: no matter how strong the lock on an apartment entrance is, it’s irrelevant if someone simply holds the door for a malicious intruder.
Social Engineering Defies Our Expectations
Picture a hacker. Quick. Or for a more fun experiment, go tell an AI image-generating platform to do so (here’s what Midjourney came up with).
Chances are, you (or the AI) imagined someone hunched over a keyboard in a dim and dank basement.
The fact is, societal depictions of cybercriminals have led us to associate hacking with socially ill-adjusted figures who move in the shadows and know more about computers than they do human beings.
Like many stereotypes, this isn’t just inaccurate; it’s dangerous. Because the fact of the matter is that hackers are often highly socially skilled – just like the ethical hacker in the video linked above – and it’s a big part of what makes them successful.
So while we’re expecting to get hacked by someone we’ll never see or interact with, oftentimes the bad actor who makes your life a living h*ll will do so to your face, or over the phone – and with a smile.
In short, the third reason social engineering is so darned effective is that it’s not what people are looking out for.
Some Stats
In a moment, we’ll discuss what individuals and organizations can do to avoid falling for social engineering scams. But first, let’s take a look at some numbers. If you’re not convinced social engineering is a HUGE problem by now, perhaps some good old-fashioned statistics will wake you up…
