The internet has no shortage of reminders of the fact that people are the weakest link in cybersecurity. Articles about this human weakness are quite abundant online, with new ones published occasionally year after year. Also, government agencies, cybersecurity organizations, and security firms regularly publish advisories and guidelines on how to address attacks on human vulnerabilities in cybersecurity, social engineering in particular.
Threat actors are well aware that it is easier to trick people than to defeat autonomous cyber defenses. That’s why it is important to pay attention to the social engineering problem. Unfortunately, it continues to be a serious threat individuals and organizations have to contend with. It keeps finding new victims even with all the precautions and the widespread availability of tech tools designed to address it.
Tenacious threat capitalizing on persuasion
Social engineering has existed even before the advent of digital and internet technologies. It is said to harness Cialdini’s seven key principles of persuasion, which include reciprocity, commitment and consistency, social proof, authority, liking, scarcity, and unity. These principles have been effective points of persuasion used by swindlers in the past, and they appear to be just as effective in the digital era.
Reciprocity is demonstrated by the use of enticing promises like those in ads, banners, social media posts, or message boards. Many people tend to respond to messages that offer something valuable or something that affirms their beliefs and inclinations.
The principle of commitment and consistency is largely about habits. People tend to not doubt the things they have already been doing for a long time, like inputting their login credentials to their banking website. That’s why many fall for spoof sites because of the familiarity users have with certain interfaces.
Social proof is often equated to the bandwagon effect, wherein people do something because it is what they think everybody else is doing. For example, many smartphone users carelessly install apps on their devices because they have been deceived into believing that an app is useful after seeing an ad that says the app has already been downloaded by millions of users.
Authority, on the other hand, is about leveraging the convincing power of persons of authority like local police officers, successful businessmen, or religious heads. Threat actors can influence people by fabricating quotes or data that are then attributed to figures of authority. This is a common modus operandi in spreading misinformation and shaping public opinion.
Meanwhile, liking is all about gaining the favorable opinion or perception of other people. It also implies the desire for prestige. Many are quick to click on banners, ads, or links if they are promised the opportunity to be part of an exclusive clique.
Similarly, the idea of scarcity tends to elicit an urgent response from people. People click on ads or banners that indicate a limited offer or a reduced queue for qualified participants in a promo. Many lose their skepticism when faced with something that requires an urgent response.
Lastly, the principle of unity convinces people to do something because someone they like endorses it. They may do it because they identify with what they are being shown, like people installing crypto-related apps on their devices after seeing an intriguing ad about Bitcoin.
Why social engineering persists
Cybercriminals have continued to use social engineering over the past decades because it still works. It continues to evade cyber defenses and allow threat actors to achieve their felonious goals. The reason for this debacle is people because people continue to be vulnerable to deception and the principles of persuasion as pointed out above.
The failure of cybersecurity education
Ideally, social engineering should be an easy-to-defeat cyber attack, since it is limited to just one target: people. People can be made resistant to the attacks by providing adequate cybersecurity education. If people know how to detect instances of an attack, they can make better decisions and avoid becoming victims of deception. This is but a pipe dream though. It is not that easy to make people cybersecurity-conscious, let alone experts at identifying social engineering attacks and responding to them.
Organizations can provide all the cybersecurity training they can give, but there is no assurance that it will reduce even up to 80 percent of social engineering attacks. The reason for this is because humans are imperfect. It would be unwise to expect people to completely remember everything they are taught and behave objectively and rationally at all times. Also, it is hard to instill skepticism in everyone, as it is mostly an innate characteristic of people. It can be taught, but habits and instincts tend to override it eventually.
As the United States Cybersecurity and Infrastructure Security Agency (CISA) lays out in a blog post, almost all of the solutions to prevent a social engineering attack are based on an individual’s decision. Becoming skeptical, developing the habit of double-checking URLs, being cautious in sending or sharing sensitive information, and routinely verifying information are all driven by individual decisions. No system can force people to do all of these. Reminders can be raised every so often, but everything boils down to what a person decides to do.
Based on how social engineering remains a viable attack vector for cybercriminals, it is clear that cybersecurity education or training still has a long way to go to put an end to social engineering.
Human influence on social engineering solutions
Another reason why the problem of social engineering persists is the discretion people have concerning security controls. Most cybersecurity platforms nowadays have social engineering prevention features such as anti-phishing tools that tag emails or regulate access to web pages that are suspected to be involved in phishing attacks. However, people are still given the final say on how to respond to these security notifications.
On the other hand, multi-factor authentication (MFA) is an effective tool against social engineering, but not everyone implements it. Only around 62 percent of companies use MFA. There are also instances when some users decide to disable it because they find it inconvenient.
To address social engineering more effectively, it helps to reduce human intervention in security controls and make these controls autonomous as much as possible. With the help of artificial intelligence, social engineering solutions can automatically determine the best responses to phishing, vishing, and other social engineering attacks.
Lack of coordination and systematized defense
In many cases, social engineering is viewed as an attack on individuals, so the solutions tend to be focused on individuals. Organizations implement tools that empower individuals to make the right decisions as they encounter potential instances of social engineering. This should not be the case, though.
Aside from providing adequate cybersecurity training and security controls, it is also vital to coordinate actions and promote collaboration in handling the social engineering menace. Also, duties and functions should be strategically segregated and segmented to easily undertake isolation, mitigation, and remediation if attacks succeed.
Organizations should have robust systems for monitoring potential social engineering attacks to quickly share information and oversee responses efficiently. Dealing with the problem on an individual basis does not provide the best impact on the problem. It would be better to work as a team and stop social engineering perpetrators from taking advantage of the disparity and lack of coordination.
Unrelenting, but not unbeatable
Social engineering is a difficult challenge for modern organizations. It has human weaknesses in its favor and it is now being augmented by AI like in the case of using deep fakes to make phishing/vishing more convincing. However, it is not unbeatable. There are ways to successfully fend off social engineering threats, especially by bringing together cybersecurity training, advanced tech tools, and the coordination of the defenses of an organization and the protective mechanisms for individuals.