We all know what a classic cyberattack looks like. It usually involves hackers with high levels of technical expertise and some form of a malicious tool like ransomware or malware. 

However, cybercriminals don’t always use the latest malware and cyberattacks don’t have to be highly technologically advanced. There’s a whole other class of threats that harness the most powerful weapon of all – our brains.

These cyberattacks are known as social engineering attacks. But how do they work? And how can your business protect itself? 

What is social engineering? 

The term social engineering covers a broad range of malicious activities. What ties them together is that they all use human interactions to achieve their sinister ends. Broadly speaking, all social engineering attacks use psychological manipulation to trick us into making security mistakes or giving away sensitive information.

For more on how cybercriminals do this, we highly recommend our blog on how the internet encourages cybercrime. 

What does a social engineering attack look like? 

Now we know what a social engineering attack is, let’s look at how they work in practice. Although there are potentially endless types of social engineering attacks, there are four general categories most fit under. 

1. Phishing 

You’ve almost certainly heard of phishing attacks. They’re by far the most common form of social engineering, but that doesn’t make them less dangerous.

Most phishing attacks seek to do three things:

• Steal personal information such as names, addresses and banking details
• Redirect victims to malicious websites that contain phishing landing pages or malware
• Use threats, fear or a sense of urgency to manipulate the victim into acting quickly 

A lot of phishing attacks are poorly executed and easy to ignore. We’ve all had emails claiming to be from a well-known brand, only to notice the web address or logo is subtly wrong. However, plenty of phishing attacks do succeed.

For example, in May 2021 US fuel supplier Colonial Pipeline was subject to one of the largest ransomware attacks in history, triggering a fuel crisis in the process. It’s believed the attack began with a simple email phishing scam that managed to extract an employee password. 

So, even though they might be limited and often badly done, it’s unwise to underestimate the humble phishing scam. 

2. Piggybacking 

Also known as ‘tailgating’, piggybacking involves exactly what it sounds like (although not quite literally). In this type of attack, someone without the proper authentication follows a company employee into a restricted area. 

Here’s an example of how it might work:

1. The attacker waits outside the company’s office, posing as a delivery driver or plumber.
2. An employee enters using their keycard or other security accreditation.
3. The attacker asks the employee to hold the door.
4. They do, and suddenly the attacker has access to the building.

Once in, the attacker is one step closer to accessing confidential files, stealing company property, conducting corporate espionage, or physically attacking the business’s systems.

This might sound a bit ‘low-budget spy thriller’ but the danger is very real. And SMEs, who typically have fewer physical security checks in place, are particularly at risk.

3. Pretexting

Of all the four threat types on this list, pretexting is the hardest to counter. Why? Because it relies on plausibility. A good pretexting attack will create a fabricated, but completely reasonable, scenario to try and steal information from victims. 

A pretexting attack usually works something like this. The scammer poses as a supplier and claims to need information from the target to confirm their identity. They then pilfer this data and use it to steal company property, enter business systems, or launch a secondary attack. 

To give a real-world example, between 2013 and 2015 Facebook and Google were conned out of $100 million after falling for a fake invoice scam. A Lithuanian cybercriminal called Evaldas Rimasauskas realised both organisations used the infrastructure supplier Quanta Computer.

Sensing a vulnerability, he sent a series of fake multimillion-dollar invoices from Quanta Computer over two years. These invoices even included contracts and letters, apparently signed by the tech giants’ staff. 

The cybercriminal was eventually caught and Facebook and Google recovered some of the money. However, if two of the largest and most technologically advanced companies in the world can fall for such a simple scheme, so can anyone else. 

4. Quid pro quo 

Quid pro quo attacks promise a benefit in exchange for information. This benefit is usually some sort of service. 

For example, an attacker may call random phone extensions at a company, pretending to be returning a call from a technical support enquiry. Once they find someone who really has a problem, they pretend to help them but use it as an opportunity to plant malware or access important company data. 

What can you do to protect your business?

Education, education, education 

There’s a well-worn statistic that 95% of cybersecurity breaches are down to human error. But when it comes to social engineering attacks, that figure is much closer to 100%.

The best way to counter this is through security training. Training can help your employees recognise the tactics cybercriminals typically use such as impersonating a supplier, creating a sense of urgency, or offering bogus services. 

As we’ve said before, where many social engineering attacks fail is attention to detail – there’s usually something that isn’t quite right. And you can train your people to recognise these tells. Some examples include spelling mistakes, subtly different URLs, unsolicited communications and suspicious email attachments.

Create clear cybersecurity policies

If your people don’t know which behaviours are harmful, they can’t correct them. So, you need easy-to-follow cybersecurity policies to make it clear what behaviours are expected of them. On top of this, make sure everyone can find them. After all, there’s little point in an important policy document that spends its life languishing in a corner of the shared company drive. 

For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Foster a positive cybersecurity culture 

If your business does fall foul of a social engineering attack, acting quickly could be the difference between a minor inconvenience and disaster. But for this to work, your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. 

All too often, security mistakes go unchecked and breaches become so much worse than they needed to be because staff are too afraid to report them. 

Check your cybersecurity measures

Alongside training your staff, it’s also worth checking (or implementing) your technological cybersecurity measures. These include firewalls, antivirus and anti-malware, patching and access management policies.

By having these measures in place and regularly checking them, you should be able to limit the number of attacks that ever reach your staff. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

There’s no disputing that cybercrime is on the rise. According to data from RiskIQ, $2,900,000 is lost to criminals every minute and companies pay out an average of $25 dollars every 60 seconds due to breaches. So it’s hardly surprising cybercrime is set to cost the world $10.5 trillion annually by 2025.

But what is it about the internet that encourages cybercrime? In the second part of our series on cyberpsychology, we delve into how the internet nurtures cybercrime and why we often fall for scams we wouldn’t in the physical world.

Let’s start with the bad guys.

How does the internet enable cybercriminals? 

We’re not always aware of it, but all of us can be guilty of losing our inhibitions online. The internet can encourage us to be more confident and open. However, it can also have toxic side effects.

Some of us are more likely to be manipulative and deceptive online as we are less concerned about our peer’s judgement. When interacting with each other using technology, communication has limited physical features. Often we can’t see or hear the person we’re talking to, offering perfect conditions for misleading messages and false identities.

$2,900,000 is lost to cybercriminals every minute

Online interactions can seem less tangible than our offline lives. And, because the online world feels less ‘real’, harmful behaviour can also feel more acceptable. Without the victim’s physical presence, attackers feel distant and detached from their target and are less afraid of being caught. This makes lying and misleading behaviour much easier. Criminals also feel safer due to the anonymity offered by the internet and the lack of regulation of online behaviour.  

Criminology theory suggests that the three key ingredients for more crime are a motivated attacker, a suitable target and a lack of ways to protect them. Let’s apply this framework to cyberspace. The motivation for cybercriminals is the belief they’re unlikely to be punished for cybercrime. The target can be just about anyone, such is the range of available victims. And, the lack of protection is provided by the way we conduct ourselves online. 

How do cybercriminals use the internet against us?  

There is a wide variety of methods cybercriminals use to ensnare victims. For example, phishing attacks create a sense of urgency and exploit it. It could be by creating a bogus ’emergency’ in which the cybercriminals poses as a friend in need of help. Or, it could be something less altruistic, like the chance to win prizes.

Criminals can also mislead us by presenting themselves as an authority or trustworthy institution –  sometimes even using familiar names and logos. This could trigger us to be less critical when facing a request and respond out of habit, familiarity, or respect for authority.  To give an example, during the COVID-19 pandemic we’ve seen a huge increase in bogus vaccination emails. The threat has become so widespread that the NCSC has launched an awareness campaign, encouraging anyone who’s been targeted to use its scam reporting services.

Online communication can often appear hyperpersonal. And this is especially true if we don’t know the person we’re communicating with. Online interactions can make us idealise the person behind the avatar or email address. Without a physical appearance, body language or other non-verbal cues, we struggle to determine someone’s intentions. The result is we often default to our better nature and develop a sense of having a close relationship very quickly. 

This can lead to us disclosing personal details without actually knowing the person we’re communicating with. Cybercriminals know this and are quick to exploit it. 

The situation is made worse by the ready availability of personal information on the internet. Take social media, for example. Through a person’s profile, you can often see friends or connections lists, recent locations, their interests, and any events they’ve been part of. This information is a great resource for attackers in making communication more targeted and personal. 

What can cyberpsychology do to help us improve our cybersecurity? 

Although it might sound like a slightly dusty academic concept, cyberpsychology has plenty of practical uses. For one, it can help us better understand our vulnerabilities online. And knowing that we’re prone to hyperpersonal communication and letting our guard down is the first step towards correcting that behaviour. 

It also helps us understand the methods cybercriminals use to trick us and the behaviours that make us an easy target. This understanding can make us think more critically the next time we’re faced with a potential scam. What’s more, it gives us the tools to avoid falling for scams in the first place and better strategies for protecting ourselves. After all, to defeat your enemies you must first understand them. 

Knowledge of how and why cybercriminals target us is important. However, knowledge alone isn’t enough to protect your business.  You also need an understanding of the fundamentals of good cybersecurity. Fortunately, this isn’t nearly as difficult as it sounds. A great place to start is by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of good cyber hygiene. It doesn’t require any cyber expertise and can help protect your business against 98.5% of the most common cyber threats.

Technology has shaped our lives in ways never have imagined before. And it’s become especially visible now many of us made the shift to working remotely. Technological developments have provided us with many opportunities, from new forms of communication to the ability to access and share resources from anywhere on the planet. 

Sadly, that’s not the whole story.

Technology also provides cybercriminals with endless new methods for exploitation. It’s no longer enough to manage the struggles of our offline lives. There’s also the added pressure of maintaining our digital selves and online behaviour. 

But why do so many of us behave differently online and take risks that we wouldn’t in our everyday lives? It’s exactly these questions that cyberpsychology seeks to answer. 

What is cyberpsychology?

Cyberpsychology is a relatively young branch of psychology. It got its start back in the 1990s, but it really began to gain relevance during the 2000s with the rise of social media. The explosion in online communication made it suddenly very important to understand online behaviours.

Cyberpsychology looks at how we behave in cyberspace, how we interact with and through different devices, as well as how our offline behaviours have been affected by the use of technology and the internet. 

Experts have been warning about the perils of social media for some time. But, for most of us, the recent  Netflix documentary, “The Social Dilemma” has been a wake-up call in understanding how specific sites, apps and design functionality in cyberspace can be used to target our weaknesses. 

Beyond the obvious problems with manipulative design, technology and the internet are also affecting us in a subtler way. With the advent of the internet of things (IoT), our daily lives are carried with us wherever we go. This mobility comes with advantages; constant connectivity and near-endless information at our fingertips. However, it can also lead to us feeling overwhelmed, saturated with information and obligated to constantly ‘keep up’ with whatever is happening in the news cycle or on social media. 

For many of us, cyberspace is not as tangible as physical space. In the ‘real’ world we can clearly identify hazards and avoid them. Online, this becomes trickier. This can lead us to have an imaginary sense of security, despite the countless risks we are exposed to online daily. But, being aware of the psychology behind our actions can help us better manage our digital existence and approach it more mindfully. 

What are the psychological features of technology?

Recordability

One of the key features to watch out for in cyberspace is ‘recordability’. Everything we do online, from the content we share publicly or not so publicly to private conversations and our location, is documented and recorded. Our digital experiences can be analysed, revisited and even re-experienced. This can have many positive effects, but can also backfire and be used against us if it’s accessed by someone with malicious intent. So it’s important to always consider not only what we are sharing, but who might have the access to our digital traces. 

Flexible identity

Another feature of online life is the ability to manage our impressions and identity. The lack of physical characteristics in communication, such as appearance, body language and emotional expressions can be a limitation to understanding each other. But they can also give us the flexibility to tailor our digital selves to different audiences. 

However, it can also be used for behaviours of misleading, malicious and even criminal natures. For example,
identity fraud or phishing scams. In combination with records of your digital activities, the offender could use available personal information to build a closer and, seemingly, more trustworthy relationship with you. 

The Disinhibition effect

The last key cyberpsychology theory for analysing our behaviour is the disinhibition effect. It explains how the ways we act change in digital environments. In short, we’re less inhibited and composed and more open and confident. So much so, that researchers often compare this effect to being drunk. 

This might sound like a good thing; a society-wide ‘coming out of our shells’. However, it has a darker side. Many of us have
have poorer judgement online and are more prone to making bad decisions.

For example, we are more open to sharing our whereabouts or discussing intimate and private details. This can be influenced by the idea of us as being invisible, anonymous and a belief that offline interactions are ‘real’ and online as ‘not or less real’. And this can often lead to us behaving more irresponsible online and failing to consider the consequences of our actions. 

Why is cyberpsychology important?

It’s clear that the internet and technology have given us greater freedom, convenience, and connectivity. But, at the same time, it’s important to be cautious of its possible negative effects. By better understanding our psychological weaknesses as humans interacting with technology we can become more aware, responsible and secure online. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.