Social Engineering and how you are exploited by people

Introduction The weakest link in any cybersecurity sector is usually people, because of emotions, these make it easy to make a person do something they would otherwise not do, by using various tactics of manipulation. These are the often the tactics used to scam, compromise and mine for information through conversation. Commonly these tactics range from fairly simple by the book to quite sophisticated.

• Gaslighting - Can often be an effective exploiting method against people who have poor memory retention, this is done by making the person or people question their sanity, such an example might be the claim your computer has a virus when in fact is does not.

  
  

  Example: Your computer has a virus and has been sending us your IP address info, you need to login to your computer and let us scan your machine.

  
  

• Authority - Pretending to be an authority figure is a fairly basic one but it does work, there is several psychological studies which were conducted on people who were in a room and told by an experimenter to continue an experiment even through there was a high possibility during the experiment the person in the other room might have suffered a cardiac arrest, this is proof that given an authority figure people may follow the orders of an individual given they are an authority figure, scammers love to try this it can range from fraudulently duplicating an authorities number to claiming authority, such as a bank, credit provider, government agency and so on.

  
  

  Example: This is [Bank Name] your account is overdrawn and will be terminated soon, press 1 to be transfer to the appropriate representative.

  
  

• Fear - Related to authority is to induce fear by presenting themselves as an authority or a threat to an individuals well being, such as revoking either their payments, their benefits and even they'll go as long as threatening to exploit peoples vulnerable medical conditions, again this is a fear tactic, it's common to use fear in various interrogation situations and is often incredibly effective, but in this situation with a scammer or other individual staying firm and ignoring their attempts to "bullshit you" is key.

  
  

  Example A: Your Phone number will be cancelled soon, call back this number immediately to not have it disconnected Example B: Your phone has been used for roaming and has accumulated a bill of $5000 press 1 to call back.

  
  

• Coercion - Can take many different forms it can range from flatters to a combination of fear and flattery as well as politeness they may appear helpful at first with the goal of assisting, but when they can not get you to 'budge' might immediately switch to an hostile and aggressive stance, trying to force you into purchasing cards, clicking a link or some other tactics as a means to either compromised or extract money. Example: Oh you remind me of my mother, she was so sweet and I was always willing to help her to make sure she never did anything that would hurt. Her you trust me too don't you?

  
  

• Guilt and Kindness - You would be surprised just how easy it can be to get people to comply with contributing to a 'good cause' reality is not everyone is kind, just like other emotions can be exploited peoples need to feel like they are doing something good can be weaponized against them, sometimes this is case of fake gofundmes or even fake charities asking for money. People can be very trusting and this is often their undoing with scammers.

  
  

  Example A: I represent the children's hospital and am looking for donations, these children are in desperate need for funding, would you be willing to open your heart to their plight.

  
  

• Lending Legitimacy and Fabrication - Depending on the sophistication of the attack they may specifically Google information about you, what you do and what your live preferences and dislikes are as a means to develop reapal with you and make their facade more believable than it actually is, this is a more sophisticated attack but can commonly be employed by unscrupulous groups and individuals.

• Bandwagon or Ad Populum Argumentum - Manipulating peoples need to belong with others it focuses on claiming that an entire group has done this already, and it's so easy to get started such an example commonly involves cryptocurrency and other common vectors for scamming. By using people as a whole to validate the legitimacy they try to make it appear that everyone is onboard with the idea, this is also a common logical fallacy for an additional bit of context.
  

  Example: If you invest in this platform you'll make 110% on the money you put into guaranteed, and will make you rich so you are no longer dependent on your pension sign up today!!!

• Click Bait - This can be used if it's about a subject you follow or a funny video, or something shocking recently a lot of Facebook posts have consisted of this 'bait' that if you were to click on it, you'd get your account compromised or if you store a large amount of session keys in your browser basically "logged in all the time" they'll grab all those keys and take control of those accounts, this bait is everywhere even legitimate websites.

  
  

  Example: If you have a black [censored].... it means you ...

  
  

• Domain and Email Address Squatting - This is the internet equivalent of setting up a company under another companies name then claiming it is yours, but the most common method for this is squatting on well known service platforms and domains, one very well known method of the past as the squatting on google.com to goggle.com in the era of Windows XP this common domain squat was lethal to most computer as it would upload every kind of malware to your computer (I don't recommend looking it up either today I don't know who owns the domain and it may still be malicious) other domain squats might be.

  • netflix.xyz.com

  • westpac.org

  • facebook.org.za

All potentially malicious links have had their "click link stripped for your safety again DISCLAIMER: DO NOT LOOK THESE UP I WILL NOT BE HELD RESPONSIBLE FOR YOU LOOKING THEM UP YOU HAVE BEEN WARNED. Using domain names close to the original is a favorite way of many cyber-criminals to dupe you into clicking on a malicious link. They may even use tiny-url or other url shortening links to attempt to hide the domains, and oddly enough Telegram is a favorite CNC vector for this sort of attack as well.

Protecting Yourself from Exploitation

• Emotion: Be wary of emotional manipulation tactics in general, aggression, flattery, fear, urgency, and other powerful strong emotions, and take a step back and do not give into this tactic. While you may feel a strong compulsion to give into the demands or tactics stay strong and rational.

  
  

• Question Authority: If a phone call is from a representative of your bank call the direct number, for your bank and ASK for the actual representative and their transfer number if it's legitimate they should be able to get you that exact person, same technique can be used with emails, if you get an email from "mygov" call MyGov or email their known email directly do not.

  
  

• Baffle you with bullshit: A common tactic used is to use technology terms to pretend to be an type of authority who knows what they are doing and actually appear to be legitimate, but when faced with someone who actually knows technology they will hang up faster than lightning.

  
  

• Verify: Try to always verify who you are talking to if it is your bank informing of your card being compromised, verify it is them, by using the similar tactics used to question the authority. Avoid clicking links that look suspicious from people you do not not, and even from family and friends it cannot always be safe if they become compromised sometimes they become unwitting vectors for the scam or attack. Check what emails have some weird emails even have random numbers in them, which are not present in normal email addresses

  
  

  • As an important sub concept: Pay attention to the structure of emails and texts, sometimes they will have poor writing, however this should not be taken as an absolutely valid way yo determine legitimacy.

    
    

  • Scam text calls like the "HI Mum scam" that was going around, because scam texts are often routed through Australian numbers they often are sent via "simboxes" they are basically a box with hundreds or even thousands of sim card slots, they are controlled from the scamming company / country in question to send out texts.

    
    

  • One other closing warning, can you trust an email or phone call from a legitimate authority even if it's real? Hmmm that depends it is possible for company networks to get compromised and malicious actors start using legitimate platforms to spread scams, one example is there has been many scammers who took over celebrities accounts and started spreading scams via an actual legitimate account. Legitimate accounts from companies are vulnerable as any other account so an authority can potentially turn malicious.

    
    

• Protect your Information: It can be seen that you are the weakest link when it comes to scammers and exploitation, not exposing information online about where you go, when, what your likes and dislikes are the easier it is to protect yourself from more sophisticated methods.