How social engineering takes advantage of your kindness

Last week, MGM Resorts disclosed a massive systems issue that reportedly rendered slot machines, room keys and other critical devices inoperable. What elaborate methods were required to crack a nearly $34 billion casino and hotel empire? According to the hackers themselves (and seemingly confirmed by a source speaking with Bloomberg), all it took was a 10-minute phone call.

By all appearances, the alleged hackers behind the MGM issue, gained access through one of the most ubiquitous and low-tech vectors: a social engineering attack. Social engineering psychologically manipulates a target into doing what the attacker wants, or giving up information that they shouldn’t — in this case, apparently, by pulling a fast one on an unsuspecting IT help desk worker. The consequences range from taking down global corporations to devastating the personal finances of unfortunate individual victims. But what makes social engineering attacks so effective, and why are they so hard to prevent?

It seems counterintuitive to hand over sensitive information to a complete stranger, but attackers have developed ways to trick you into feeling comfortable doing just that. Those could include building trust over time, gathering information about you to seem like they know you or using a sense of urgency to get you to act quickly without thinking through what you’re giving up. That’s why common personality traits among cyber victims include being extroverted, agreeable and open to new experiences, according to Erik Huffman, a researcher who studies the psychology behind cybersecurity trends.

“Fear is an attack vector. Helpfulness is an attack vector,” Huffman said. “The more comfortable you are, the more hackable you become.”

Plus, digital environments have fewer social cues versus being face to face, so a potential victim is not as good at sensing potentially suspicious signs, Huffman said. We read messages in our own voice, projecting our own good will onto them, which normally doesn’t happen in person. There’s less information like social cues or body language to guide us or give us a gut feeling that something’s off.

A social engineering attack could be as simple as a faux-urgent phone call from a scammer to get your credit card information for low level theft. But there are increasingly complicated “Rube Goldberg attacks” that layer multiple approaches to fool you, according to Sophos X-Ops principal researcher Andrew Brandt. In an example of such an attack, Brandt observed scammers first operating over the phone to get a target to click an email also sent by the scammer. Once clicked, the email would activate an attack chain that included malware and remote access software.

More likely, you’ll encounter it on a much simpler level. You might get a text from someone pretending to be your boss asking for gift cards or be tricked into clicking a malicious link that phishes your credentials. But one way or another you’ll probably run into it eventually, as an estimated 98 percent of cyberattacks rely to some extent on social engineering tactics, according to research from Splunk.

There are some other warning signs people can look out for. Having to download an unusually big file, a password protected zip file that can’t be scanned for malware or a suspicious shortcut file are all signs of a potential attack, according to Brandt. But a lot of it’s a gut feeling — and taking time to step back before proceeding to consider what could go wrong.

“It is a practice that takes repetition and rehearsal over and over again to reflexively distrust what people say to you who you don’t know,” Brandt said.

Huffman said people can try to avoid falling victim by acknowledging the limitations of a digital environment, and asking questions like: Does it make sense for this person to reach out to me? Does this person behave in a trustworthy manner? Does this person have the authority or position of power to give these directions? Does this person truly understand the topic we’re discussing?

Social engineering attacks happen constantly, to huge corporations as well as everyday people. Knowing that our good-natured traits can be our greatest weakness when faced with this variety of bad actors, it can be tempting to stop being nice altogether for safety's sake. The key is balancing our social instincts with healthy skepticism. “You can be helpful," said Huffman, "but be cautious.”