The pitfalls of trust: all you need to know about social engineering – Raconteur

admin on October 4, 2022 Leave a Comment

The natural inclination to trust is a fundamental part of life and business. You would not be able to form business relationships, secure investment, serve customers and keep staff without it. But, there are increasing instances where our human instinct to trust something can lead to us being taken advantage of, and social engineering is a prime example ofthis.

Richard De Vere is the founder of The Antisocial Engineer and head of social engineering for business solution company Ultima. He has spent his career highlighting the many ways that trusting strangers can make a business vulnerable to threats both physically andonline.

Social engineering is a professional name for scams and crime where there is an element of human manipulation, De Vereexplains.

In cases where social engineering is used, fraudsters turn our most human instincts against us to access information, physical spaces or systems for financial gain. To do this, they might present themselves as a trusted - or trustworthy - individual and source of information.

De Vere illustrates this with a standard example from outside the business world. A parent gets a text message from a phone number they dont recognise. The text reads Mum/Dad, Ive just been mugged so Im borrowing my friends phone. Could you send some money to their online bank so I can gethome?

That particular scam works on peoples desire to care for their offspring, says De Vere. Its very human. And, he says, it is an impulse which all of us have to use social cues and our understanding of people to influence others behaviour.

By understanding how people build trust, you can then learn to dress and speak appropriately. You can start to orchestrate trust

In a business setting, a social engineer could be the slick salesperson who has learned to talk with a smile and turns up to meetings in an expensive suit with a polished pitch deck of slides. A lot of people probably dont know this form of manipulation is called social engineering, theyre just sick of sending out emails which dont get through to people and theyve started to think about the psychology behindit.

This situation can be classed as social engineering, rather than simply good sales technique, if the person is explicitly looking to trick you for their own nefarious purposes and to line their ownpockets.

The rise in levels of cybercrime is well documented and no business can afford to ignore the severe threats posed by hackers. But social engineering can be just as effective in person as it can online, and it takes much more than a bouncer to stopit.

To illustrate this, De Vere describes the occasion when he used a bunch of flowers to get past the receptionists of a large office complex and gain unaccompanied access to the boardroom to plant abug.

We trust people because we need tosurvive

In the scam, De Vere arrived at reception with a large bouquet from an expensive local florist and told the women behind the desk that he was there to deliver them to an employee who he secretly knew wasnt working that day. Flowers will only get you so far, though, he says, and the secret to success was in his manner. First of all - I was careful not to be scary! Im quite a big chap, so I could come across as intimidating. So I was very apologetic, embarrassed, flustered.

And that was it, he says. In his embarrassment he suggests the women keep the flowers and excuses himself, ostensibly to call the intended recipient to let her know what has happened. This provides exactly the right amount of time to slip into the conference room and plant thebug.

Its exploiting human nature. You have two receptionists who would love a bunch of flowers, then you have me acting like Hugh Grant - Oh God, Im such an idiot! - and it all falls intoplace.

This is how social engineers work: they study how people interact and use that to build personas which seem trustworthy. Youve got to look at how humans define trust on the fly. We do this through what we wear, how we speak, and through accents and mannerisms. By understanding how genuine people build trust, you can then learn to dress and speak appropriately. You can start to orchestrate trust.

So, how can businesses protect themselves from attacks such as these? Is it as simple as encouraging a dont trust anyone attitude among staff? Absolutely not, says De Vere. We trust people because we need to survive, he explains. If we question everything, we never get anything done. And it could have the counterintuitive outcome of filtering into relationships between colleagues, leadership and clients. Trust is crucial for successful businesses, but there are things you can do to make organisations less vulnerable to fraudsters.

1

For too long, weve said that people are the weakest link in the chain, says De Vere. The best way to scam-proof your organisation is to challenge this assumption. Empower staff to recognise and safeguard against attacks by training them and educating them to spot the risks. How many people do you think get training on psychological manipulation when they start working in a bank? Notmany!

2

Social engineering is no longer a niche area of the business. It very much should be in the forefront. You should be discussing it with your security teams. Much like cybersecurity, organisations who wish to protect themselves need to take threats like this seriously and factor them into risk management systems and business continuity plans.

3

The truth is, says De Vere, were all very much human. And I dont think that gets factored into any stage of the business until it becomes a problem and theres a reason to start to make processes. Designing your business around people means understanding that anyone can be scammed and that human behaviour is, to a certain extent, predictable. Mitigate for this by establishing set processes to combat risk, rather than simply holding people accountable once something has gone wrong. In the case of the receptionists and the flowers, had the business had a strict policy in place stating that visitors dont pass a certain point unaccompanied, it would have been far harder for De Vere to make it into the conference room.

Social engineering is a professional name for scams and crime where there is an element of human manipulation

Finally, says De Vere, there is one way to recognise that normal levels of human interaction might be tipping into the sphere of social engineering. Social engineering makes you feel stuff that isnt real, he explains. Potential victims should keep a keen eye out for when a radical change of emotion happens quickly. Its about spotting the triggers that this person is making me upset or elated all of a sudden. But why? From an emotional perspective its about being aware of the feeling of being strungalong.

By training everyone in your organisation to recognise this feeling, making security a top priority and establishing processes which assume natural levels of human fallibility, you can keep trust for the people who deserve it. And keep your business safer from those who donot.

See original here:

The pitfalls of trust: all you need to know about social engineering - Raconteur

Related Posts
Posted in Engineering

Comments are closed.