If you’re planning to take the SY0-501 version or the SY0-601 version of the Security+ exam, you should understand common types of attacks. This includes different social engineering techniques. Social engineers typically use one or more psychology-based principles to increase the effectiveness of their attacks.
For example, can you answer this question?
Q. Lisa received an email advertising the newest version of a popular smartphone. She’s been looking for this smartphone, but can’t find it anywhere else. This email includes a malicious link. Which of the following principles is the email sender employing?
A. Authority
B. Intimidation
C. Scarcity
D. Trust
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
In addition to teaching users about the different social engineering tactics, it’s also useful to teach them about these underlying principles.
Authority
Many people have grown up to respect authority and are more likely to comply when a person of authority says to do so. As an example, volunteers participating in the Milgram experiment continued to send shocks to unseen subjects even though they could hear them scream in pain, simply because a man in a lab coat told them to continue. They weren’t actually sending shocks and the screams were fake, but everything seemed real to the volunteers. Psychologists have repeated these experiments and have seen similar results. Using authority is most effective with impersonation, whaling, and vishing attacks:
- Impersonation. Some social engineers impersonate others to get people to do something. For example, many have called users on the phone claiming they work for Microsoft. The Police Virus (a form of ransomware) attempts to impersonate a law enforcement agency. Other times, social engineers attempt to impersonate a person of authority, such as an executive within a company, or a technician.
- Whaling. Executives respect authorities such as legal entities. An example is how many executives were tricked into opening infected PDF files that looked like official subpoenas.
- Vishing. Some attackers use the phone to impersonate authority figures.
Intimidation
In some cases, the attacker attempts to intimidate the victim into taking action. Intimidation might be through bullying tactics, and it is often combined with impersonating someone else. Using intimidation is most effective with impersonation and vishing attacks.
For example, a social engineer might call an executive’s receptionist with this request: “Mr. Simpson is about to give a huge presentation to potential customers, but his files are corrupt. He told me to call you and get you to send the files to me immediately so that I can get him set up for his talk.” If the receptionist declines, the social engineer can use intimidation tactics by saying something like: “Look, if you want to be responsible for this million-dollar sale falling through, that’s fine. I’ll tell him you don’t want to help.”
Note that this tactic can use multiple principles at the same time. In this example, the attacker is combining intimidation with urgency. The receptionist doesn’t have much time to respond.
Consensus
People are often more willing to like something that other people like. Some attackers take advantage of this by creating web sites with fake testimonials that promote a product. For example, criminals have set up some web sites with dozens of testimonials listing all the benefits of their fake antivirus software. If users search the Internet before downloading the fake antivirus software, they will come across these web sites, and might believe that other real people are vouching for the product.
Using consensus, sometimes called social proof, is most effective with Trojans and hoaxes. Victims are more likely to install a Trojan if everyone seems to indicate it’s safe. Similarly, if a person suspects a virus notice is just a hoax, but everyone seems to be saying it’s real, the victim is more likely to be tricked.
Scarcity
People are often encouraged to take action when they think there is a limited quantity. As an example of scarcity, think of Apple iPhones. When Apple first releases a new version, they typically sell out quickly. A phishing email can take advantage of this and encourage users to click a link for exclusive access to a new product. If the users click, they’ll end up at a malicious web site. Scarcity is often effective with phishing and Trojan attacks. People make quick decisions without thinking them through.
Urgency
Some attacks use urgency as a technique to encourage people to take action now. As an example, the ransomware uses the scarcity principle with a countdown timer. Victims typically have 72 hours to pay up before they lose all their data. Each time they look at their computer, they’ll see the timer counting down.
Using urgency is most effective with ransomware, phishing, vishing, whaling, and hoaxes. For example, phishing emails with malicious links might indicate that there are a limited number of products at a certain price, so the user should “Click Now.” Executives might be tricked into thinking a subpoena requires immediate action. Many virus hoaxes have a deadline such as at 4:00 p.m. when the hoax claims the virus will cause the damage.
Q. Lisa received an email advertising the newest version of a popular smartphone. She’s been looking for this smartphone, but can’t find it anywhere else. This email includes a malicious link. Which of the following principles is the email sender employing?
A. Authority
B. Intimidation
C. Scarcity
D. Trust
Answer is C. The attacker is using scarcity to entice the user to click the link. A user might realize that clicking on links from unknown sources is risky, but the temptation of getting the new smartphone might cause the user to ignore the risk.
There isn’t any indication that the email is from any specific authority.
It isn’t trying to intimidate the recipient and there isn’t any indication it is trying to build trust.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on threats, vulnerabilities, and common attacks.
