Last week I wrote a blog that introduced the idea of what I call “Deceptioneering.” This is the idea that humans can be deceived rather easily – even after knowing to watch for a deception – based on their brain make up and early introduction to “little white lies.” You can read Part 1: Humans are Hardwired for Deception here if you missed it.
Once you have a foundational knowledge of Deceptioneering, it is important to look at some practical applications and how they might be used to con you or your users into falling for a social engineering or phishing scheme.
I mentioned last time that I like to illustrate how people’s minds can be manipulated by talking about scenarios we have all experienced or learned about: examples from magic, pickpocketing, and hypnosis. Read on to learn more about these principles, how to identify them and avoid falling for them.
Principle 1: Misdirection and attention
Our brains are programmed to constantly scan and determine what to ‘lock on’ to. Brain scientists call this determination our “spotlight of attention”, and magicians and pickpockets are masters at exploiting vulnerabilities in our attentional spotlight. They will draw your attention to one object or area while doing the ‘dirty work’ at the periphery or completely outside of the attentional spotlight. They frequently use a large visible action to cover for a smaller action.
We think that we are masters of our attention, but it is extremely easy for our attention to be hijacked. Unfortunately, it isn’t just illusionists that know and take advantage of this; criminals and scam artists do as well.
For example, the world is still recovering from the NotPetya misdirection. NotPetya really took advantage of our attentional spotlight making many believe it was ransomware when it was actually something even more malicious. NotPetya wasn’t just ransomware; while people were racing to figure out how to get data back and avoid paying a ransom, NotPetya was actually a wiper and very likely initiated as a state sponsored cyber-attack.
Another example of misdirection in the cybersecurity world is when attackers launch a DDoS attack against a financial services company to cause diversions from the account takeover attacks. The end user and the bank see the extremely visible effects of the DDoS attack, and the account takeover and fraud activities are obfuscated for a time.
Principle 2: Influence and rapport
Hypnotists, magicians, pickpockets, as well as criminals and con-artists all build rapport and establish influence with a subject in order hijack their brain. These cons work to ensure that their participants quickly form a level of trust, which allows them to gain complicity as the performer shows them where to stand, what to do, and so on.
Robert Cialdini, Regents' Professor Emeritus of Psychology and Marketing at Arizona State University, wrote Influence: The Psychology of Persuasion, which is most often referred to as the definitive book on how influence works. He believes that the more we identify ourselves with others, the more we are influenced by them.
Cialdini's theory of influence is based on six key principles: reciprocity, commitment and consistency, social proof, authority, liking, scarcity. He also recently added a seventh principle: the unity principle, which is about shared identities; what Seth Godin would refer to as Tribes.
Rather than describing each of the influence factors here, I encourage you to review Chaldini’s work, or one of the many derivative works based on his research.
Needless to say, however, scam artists and phishers around the world leverage many of these tactics as they try to reel in their next victim. The influence tactics are also additive; meaning that a social engineer will employ multiple influence tactics within a single phishing message to make the lure attractive.
For instance, if a phisher creates a message using scarcity/urgency, authority, social proof, and reciprocity all in one phishing email, they bring more fire power to their message than a simple message that uses none or only one of the tactics.
Principle 3: Framing and context
Framing is of critical importance for performers, politicians, and marketers, as well as social engineers and con-artists. The concept of framing is derived from the social sciences, and is basically the context, world view, or lens that a person views reality (or a specific situation) through. Framing can also be a social engineer or attacker’s way to hide in plain sight (costuming, persona development, and playing to the situation).
I like to illustrate framing during presentations in a way that allows me to present a specific effect in multiple ways – depending on how I want to present it. For instance, if I have a sealed envelope that contains a written record of a participant’s upcoming choice, I can play the part of a psychic and reveal that as a prediction or I can play the part of a mentalist or hypnotist by encouraging the participant to think or choose something.
Simply stated – a frame gives us the context to interpret or understand the information we are presented or the situation in which we find ourselves. In fact, there are political, religious, and marketing organizations dedicated to understanding the frames that people have and how to work within or to expand those frames so that people are open to new or different/challenging ideas.
Frames are an extremely powerful force – and they are not always fact-based. When frames and facts collide, the facts are pushed aside, and the frame is embraced tightly. FrameWorks President Susan Bales is known to often say, “When the facts don’t fit the frame, the facts get rejected, not the frame.”
Since everything operates within a frame, scammers, phishers, con-artists, and other unsavory types learn how to play to the frame. They will impersonate respected authority figures – such as in Business Email Compromise attacks.
Framing also takes place in the way that language is used, the choice of medium for an attack, and more. The Social Engineering Framework at Social-Engineer.org can give you more insight into how framing works within the confines of social engineering.
Conclusion
In the end, we must know that it’s simple for our minds to be overtaken in order to deceive us. We can’t combat attacks or savvy attackers if we don’t understand how they can use our brains against us. By knowing that “Deceptioneering” happens, we can give ourselves permission to slow down and think before acting.
Doing so takes us out of situations where we are just acting in a reflexive/automatic manner and allows us to process things a bit more logically. Just stopping to think logically helps us to consider the actions and potential motivations behind what people are saying, the emails that we are receiving, and situations that we are in to see if someone might have just tried to hijack our brain.