Is the only way to prevent social engineering attacks to change what makes us human?

Chloe Kim

There is no computer without a human behind it. Though a seemingly profound statement with blatant truth, it is this mindset that drives the culprits behind social engineering attacks that plague the world. Mundane actions like accepting friend requests on Facebook and answering unknown phone numbers can lead to manipulation, with attackers taking advantage of our innate curiosity and need for social interaction. 

In order to do so, however, attackers must first set up a “pretext”, a situation that draws a user in when they are the least suspecting and the most vulnerable. Attackers can go to great lengths to do so, and they can target any group of people. For example, back in the 70s, attackers would call operation lines for deaf customers, as the operators on the other side of the phone were typically more patient, sympathetic, and, in turn, susceptible to exploitation through social engineering, or the manipulation of human psychology in order to gain something. (Wang) 

Social engineering has evolved alongside modern technology, with attackers migrating to social media sites and taking advantage of users’ trustworthiness towards the people on their friend recommendation page, for example. Attackers can capitalize on people’s lack of focus or lack of knowledge, such as clicking on unsuspecting pop-up ads or being preoccupied with other responsibilities in a job. Threat perception is also a major concern. (Albladi) For example, in an empirical field study of social engineering and their effects, researchers found that, despite people saying they understood the dangers that exist on the internet, they still accept trades of  personal information in order to get a deal or bargain. (Workman) I feel that this prioritization of convenience versus safety has become very prevalent in our country today. Especially in these times, where everything is online including shopping, education, work, etc., social engineers are more likely to come across potential victims. It is more important than ever to be wary of evert online interaction, and to always prioritize safety over convenience. 

This lack of threat perception opens people up to another level of vulnerability, since features like profiles essentially allow attackers to construct a profile that matches the interests displayed in the victims. In the context of businesses with many employees, social engineering attacks can be detrimental, because no matter how skilled the workers are, it only takes one to cave into an attack. Social engineering attacks test the limits of our cognitive load. 

The issue then becomes eternal: in order to prevent cybersecurity breaches, companies will want to upgrade their computer systems, but this prompts hackers to utilize social engineering tactics to “breach” employees, since it would be easier than to breach the technology. What’s more, the human need for job security comes into play, as another factor that researchers found was that employees were against upgrading security systems for fear that it might “impede their job”. (Greitzer) It seems that either way, the businesses lose. If they have a weak security system, they will be susceptible to hacking. If they upgrade their system, they will be susceptible to social engineering. 

So the question remains: how can these attacks be prevented, both socially and professionally? For now, researchers understand how attackers target innate human instincts or needs, so logically the next step is figuring out how to mitigate or control these needs. For example, in-depth education on privacy and social engineering in the workplace will heighten employees’ awareness when they interact with unsuspecting individuals in the future. 

Works Cited

  1. Albladi, Samar M. and George R.S. Weir. 2018. “User characteristics that influence judgment of social engineering attacks in social networks”. Human-centric Computing and Information Sciences. 8(1):1-24.

  2. Greitzer, Frank L., Sholom Cohen, Andrew Preston Moore, Jeremy R. Strozer. 2014. "Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits," 2014 IEEE Security and Privacy Workshops, 236-250

  3. Oliveira, Daniela S., Tian Lin, Harold Rocha, Donovan Ellis, Sandeep Dommaraju, Huizi Yang, H., Devon Weir, Sebastian Marin and Natalie C. Ebner. 2019. “Empirical analysis of weapons of influence, life domains, and demographic-targeting in modern spam: An age-comparative perspective.” Crime Science, 8(1):1-14

  4. Wang, Zuoguang, Limin Sun, and Hongsong Zhu. 2020. “Defining Social Engineering in Cyber Security”. IEES Access. 8(1): 85094-85115.

  5. Workman, Michael. 2007. “Gaining Access with Social Engineering: An Empirical Study of the Threat”. Information Systems Security. 16(6):315-331.