Social Engineering Attacks Today: How to Proactively Protect Yourself with Emotional Insights!
by Svenja Koch
The daily battle between cyber security and cyber crime is a highly technical and at the same time extremely human contest of strength. While cyber attacks always follow new trends and security experts respond to them with innovative measures, one method of attack remains largely unchanged. Social engineering attacks, i.e. the targeted manipulation of people, are as old as cybercrime. And still immensely effective, despite all the security measures against cyber attacks that a large number of companies have now introduced into their operations. The Emotional Insights approach is designed to better prevent social engineering attacks in the future. In this article, you will learn exactly what emotional insights are and how they can minimise the "human security risk" in the context of cyber attacks.
A brief history of social engineering
Shortly after the Second World War, the Austrian-British philosopher Karl Popper created the term social engineering - at that time, of course, not in the sense of cybercrime. Rather, Karl Popper was convinced that an improvement of society as a whole could be achieved through the targeted manipulation of people by means of psychological and sociological elements. Man in the sense of a machine that can be programmed: A somewhat creepy idea, admittedly, but not far-fetched nonetheless. In the 1970s, Karl Popper's intellectual successors added psychological tricks to the theory - not with bad ulterior motives, but rather with the conviction that they could move people towards greater health consciousness, more social interaction and, on balance, a better society. The economy also gratefully accepted the techniques of targeted manipulation. Whether advertising or "nudging" on the part of the state: social engineering can be found in many areas of our lives. The content of the term has changed today. When we speak of social engineering in our modern, digital society, we usually mean the "dark side": the manipulation of people for the purpose of data theft.
Why are social engineering attacks so successful?
Have you ever bought a product that you don't really need? Or have you signed a contract with obviously bad conditions because your negotiating partner was "so nice and polite and understanding"? Psychological manipulation is so successful because it specifically recognises people's weak points and knows how to exploit them. One of the best-known examples of social engineering outside of cybercrime is the grandchild trick. For this, the criminals use information collected in advance about their victims, who are usually very old, in order to then use pressure build-up and emotions to obtain bank data, valuables or cash. The grandchild trick is as old as the hills - and works again and again despite awareness campaigns. The reason: people can be seduced by targeted manipulation into actions that they would never have done voluntarily and of their own accord. Emotions in particular, such as fear or grief, ensure that the rational mind has to take a break. Who can refuse the granddaughter 2,000 euros that she tearfully needs for her bail because she has just run over the neighbour's boy and has now been arrested by the police?
The psychological levers behind social engineering attacks
Ratio versus emotio, the mind versus the emotions: Every day we face decisions that we make either with our head or with our famous "gut feeling". It is a well-known fact in science that people make irrational decisions when their emotions get the better of them. And cyber criminals know this very well too! In social engineering, emotions are precisely the leverage used for a successful cyber attack. With the promise of great love, the arousal of curiosity, the reinforcement of greed or via the inexperience of the selected victim: social engineer experts know exactly how the mind can be tricked.
Knowledge is power - this also applies to social engineering attacks!
For social engineering attacks to work, the perpetrator must target an emotional level of the victim. The basis for this is trust. Social engineers "earn" trust by finding out as much as possible about their target persons as inconspicuously as possible. Both online and offline measures are used to prepare for cyber attacks. Social media profiles are a popular field where cyber criminals search for, tap and collect usable information. But the dustbin in front of the house is also a valuable source of information. A lot of information about a person can be gathered from the smallest and tiniest remnants of everyday life. Baby nappies in the rubbish, an empty bottle of red wine and a Facebook post with "Love is a XXXhole": ready is the profile of the recently abandoned single mom who likes high-quality wine in the evening. Equally ready is also the basis for a love scamming attack, a fraud with the pretended, great love.
Deep Fakes - Social Engineering Attacks in a New Dimension
Are you and your employees regularly trained in cyber security and thus on the safe side as far as social engineering attacks are concerned? Even if training is still the most effective weapon in the fight against manipulation attempts - the enemy never sleeps. And they are increasingly relying on deep fakes. Deep fakes are "replicas" of voices or even faces that can now feign an identity with unimagined professionalism. An executive secretary who receives a call from her boss and is asked to transfer a considerable sum of money to a foreign account is - well, something commonplace in everyday working life. The employee cannot be blamed if she carries out this order without further enquiry. After all, she has known the voice of her supervisor for many years. Too bad, however, that the voice is not real, but a perfidious digital imitation - and the money ends up not with a customer, but in the hands of highly equipped cyber criminals. Deep fakes are still a marginal phenomenon in the context of cyber attacks and anything but perfect. But it is only a matter of time before deep fakes are used for cyber attacks that can hardly be recognised as a fraud attempt without specialised defence procedures.
Emotional Insights - The answer to cyber attacks?
Emotional Insights (EI) is the technical answer to social engineering attacks. The concept describes the evaluation of emotions and the behaviour of a user while performing digital activities, for example online banking. Emotional insights are intended to prevent fraud attempts on the one hand and positively influence the user experience on the other. Emotional insights are continuously obtained from a user's behaviour. Various indicators are collected, analysed and sorted into a larger context. What sounds incomprehensible at first is actually classic psychology transported to the digital level. People can be classified into different personality types. There are risk-takers and risk-averse people, strategic thinkers, people with a strong will or selfless people. The personality structure is not discarded even in online behaviour. Emotional Insights builds precisely on this. By analysing behavioural patterns, deviations from the "normal state" can be shown on the basis of indicators. Once users have been classified, attempts at fraud can be detected much faster and, above all, more reliably. This is because the dynamic, emotional behaviour of a person is difficult to imitate.
How are emotional insights generated?
Emotional insights are generated by continuously monitoring and evaluating the digital behaviour of a user. Many thousands of individual interactions are recorded per session, which ultimately provide a picture of the personality currently sitting in front of the computer. The interactions include the movements of the mouse, the speed with which the mouse is moved or the preferences in dealing with keyboard inputs. With mobile devices, the intensity with which the touch screen is operated or the directions of movement of the smartphone can be tracked and assigned to a personality structure. The overall picture that emerges is unique. If cyber attackers now try to imitate this specific user behaviour, differences become clearly visible.
Social engineering is still a challenge for every IT security department. The security measures around a company's networks can be as sophisticated and effective as they are - if employees are manipulated, cyber security is quickly gone. Cyber attackers know exactly the weak points of the human personality and know how to get to their target by building up pressure and using strong emotions. Anyone can be targeted by cyber attacks - whether in their private life or in their role in the company. The defence against social engineering activities resembles a cat-and-mouse game. While IT security is trying to raise awareness among colleagues through training, hackers are already using new tools for cyber attacks. Deep fakes are currently still a marginal topic, but here it is only a matter of time until perfectly imitated voices or even the "boss" himself releases payments to supposed customers in a team meeting - and the hackers' account fills up. Emotional insights are considered a proven weapon in the fight against increasingly advanced social engineering attacks. By tracking and analysing personality-specific behaviour patterns, IT security can be significantly increased. As a small side effect, the user experience when visiting a website is improved.