The natural inclination to trust is a fundamental part of life and business. You would not be able to form business relationships, secure investment, serve customers and keep staff without it. But, there are increasing instances where our human instinct to trust something can lead to us being taken advantage of, and social engineering is a prime example of this.
Richard De Vere is the founder of The Antisocial Engineer and head of social engineering for business solution company Ultima. He has spent his career highlighting the many ways that trusting strangers can make a business vulnerable to threats – both physically and online.
What is social engineering?
“Social engineering is a professional name for scams and crime where there is an element of human manipulation,” De Vere explains.
In cases where social engineering is used, fraudsters turn our most human instincts against us to access information, physical spaces or systems for financial gain. To do this, they might present themselves as a trusted - or trustworthy - individual and source of information.
De Vere illustrates this with a standard example from outside the business world. A parent gets a text message from a phone number they don’t recognise. The text reads ‘Mum/Dad, I’ve just been mugged so I’m borrowing my friend’s phone. Could you send some money to their online bank so I can get home?’
“That particular scam works on people’s desire to care for their offspring,” says De Vere. “It’s very human.” And, he says, it is an impulse which all of us have – to use social cues and our understanding of people to influence others’ behaviour.
In a business setting, a social engineer could be the slick salesperson who has learned to talk with a smile and turns up to meetings in an expensive suit with a polished pitch deck of slides. “A lot of people probably don’t know this form of manipulation is called social engineering, they’re just sick of sending out emails which don’t get through to people and they’ve started to think about the psychology behind it.”
This situation can be classed as social engineering, rather than simply good sales technique, if the person is explicitly looking to trick you for their own nefarious purposes and to line their own pockets.
What being a victim of social engineering can look like in business
The rise in levels of cybercrime is well documented and no business can afford to ignore the severe threats posed by hackers. But social engineering can be just as effective in person as it can online, and it takes much more than a bouncer to stop it.
To illustrate this, De Vere describes the occasion when he used a bunch of flowers to get past the receptionists of a large office complex and gain unaccompanied access to the boardroom to plant a bug.
In the scam, De Vere arrived at reception with a large bouquet from an expensive local florist and told the women behind the desk that he was there to deliver them to an employee who he secretly knew wasn’t working that day. Flowers will only get you so far, though, he says, and the secret to success was in his manner. “First of all - I was careful not to be scary! I’m quite a big chap, so I could come across as intimidating. So I was very apologetic, embarrassed, flustered.”
And that was it, he says. In his “embarrassment” he suggests the women keep the flowers and excuses himself, ostensibly to call the intended recipient to let her know what has happened. This provides exactly the right amount of time to slip into the conference room and plant the bug.
“It’s exploiting human nature. You have two receptionists who would love a bunch of flowers, then you have me acting like Hugh Grant - ‘Oh God, I’m such an idiot!’ - and it all falls into place.”
This is how social engineers work: they study how people interact and use that to build personas which seem trustworthy. “You’ve got to look at how humans define trust on the fly. We do this through what we wear, how we speak, and through accents and mannerisms. By understanding how genuine people build trust, you can then learn to dress and speak appropriately. You can start to orchestrate trust.”
How to protect your business from social engineering
So, how can businesses protect themselves from attacks such as these? Is it as simple as encouraging a ‘don’t trust anyone’ attitude among staff? Absolutely not, says De Vere. “We trust people because we need to survive,” he explains. “If we question everything, we never get anything done.” And it could have the counterintuitive outcome of filtering into relationships between colleagues, leadership and clients. Trust is crucial for successful businesses, but there are things you can do to make organisations less vulnerable to fraudsters.
Empower and educate staff
“For too long, we’ve said that people are the weakest link in the chain,” says De Vere. The best way to scam-proof your organisation is to challenge this assumption. Empower staff to recognise and safeguard against attacks by training them and educating them to spot the risks. “How many people do you think get training on psychological manipulation when they start working in a bank? Not many!”
Understand the importance of security
“Social engineering is no longer a niche area of the business. It very much should be in the forefront. You should be discussing it with your security teams.” Much like cybersecurity, organisations who wish to protect themselves need to take threats like this seriously and factor them into risk management systems and business continuity plans.
Design businesses around people
“The truth is,” says De Vere, “we’re all very much human. And I don’t think that gets factored into any stage of the business until it becomes a problem and there’s a reason to start to make processes.” Designing your business around people means understanding that anyone can be scammed and that human behaviour is, to a certain extent, predictable. Mitigate for this by establishing set processes to combat risk, rather than simply holding people accountable once something has gone wrong. In the case of the receptionists and the flowers, had the business had a strict policy in place stating that visitors don’t pass a certain point unaccompanied, it would have been far harder for De Vere to make it into the conference room.
Finally, says De Vere, there is one way to recognise that normal levels of human interaction might be tipping into the sphere of social engineering. “Social engineering makes you feel stuff that isn’t real,” he explains. Potential victims should keep a keen eye out for when a radical change of emotion happens quickly. “It’s about spotting the triggers that ‘this person is making me upset or elated all of a sudden. But why?’ From an emotional perspective it’s about being aware of the feeling of being strung along.”
By training everyone in your organisation to recognise this feeling, making security a top priority and establishing processes which assume natural levels of human fallibility, you can keep trust for the people who deserve it. And keep your business safer from those who do not.