Part of your Data Privacy and Information Security plans should be the education of your teams on the subject of social engineering. Social Engineering is a means of exploiting the human factor in your office and obtaining information without the use of computers.
Six Principles of Influence
Back in the 80’s, Dr Robert Cialdini detailed six principles of influence in humans. These principles are the same principles that are exploited in social hacking today. These principles are:
- Reciprocity – a give and take – I’ve given you something, now you feel obligated to give me something in return.
- Commitment and Consistency – if you’ve agreed to give me information, you’ll honour the fact that you have agreed, even if it’s to your detriment to provide it.
- Social Proof – if other people you trust are doing something, you should too.
- Liking – you are more likely to give me something if you like me.
- Authority – you are more likely to give me information if I’m seen as an authority.
- Scarcity – people in general are drawn to things that are seen to be exclusive or “running out of time” to get.
These principles were centred around sales and marketing, and I’m sure you, like me, can recognise that you’ve fallen prey to one or more of this before in making a purchase!
In hacking terms, the above methods will be used (individually or together) to try and get a person to divulge information they should otherwise not be giving, either by a hacker posing as someone else (like an employee in social proof, an auditor in authority, or a pressured manager in scarcity) or by sending fake emails in phishing scams – also exploiting the authority principle by posing as a bank or similar.
Techniques Employed by Hackers
There are various techniques used by hackers when it comes to implementing the principles, some of the most common are listed below.
Also known as voice soliticitation or voice phishing, is when a hacker either calls in to a company and pretends to be someone else, or sets up a telephone system to sound like another institution such as a bank (complete with interactive voice responses and fake logins). Both methods would ultimately lead you into a trap of divulging information, such as volunteering information on login details or entering a card number and PIN code in a system.
These are your good old faithful emails pretending to be from your bank, asking you to go to a fake login page (that looks legitimate) to enter your credit card or bank account details with passwords. These systems are designed to fail every login, so that you’re forced to re-enter your PIN code or password on numerous occasions – just to be sure they’ve captured it correctly!
This is a more physical “con” in that the perpetrator would physically come to a premises and pretend to be someone else in order to gain access to a building, restricted area, or information repository. There’s an old adage that if you want to be allowed into any area of any building, simply walk around with a reflective vest and a clipboard. This is playing on the authority principle, tricking people into thinking there is an official audit or inspection taking place.
The above principles and techniques are but a few of the methods employed to gain access to data. It’s vitally important that as an organisation you train your teams from top to bottom on the dangers of social engineering. From reception to ExCo, teams need to be cognizant of the fact that data leaks can and do happen outside of an IT or technical space.
Through numerous programmes and partnerships, Ross G Saunders Consulting offers ongoing training of team leaders and staff in data privacy and information security. Contact us for a meeting to see how we and our partners can help you achieve compliance and peace of mind.