19 Examples of Lines Hackers use for Social Engineering Attacks, Part 1
Hackers will do anything to hack your network, steal money, or gain access to sensitive data. Hackers are also incredibly lazy. While they could compete with you in single cybersecurity combat; your firewalls vs their blackhat skills, they’d rathe take the coward’s way and trick an employee into breaching security for them.
This is known as a social engineering hack; When a hacker uses phone, email, or chat to fool an employee into using their own access to expose the network to malware, wire money, or send over sensitive information. The reason it works is beacuse hackers are good at coming up with a con-artists’s line that convinces staff members that they are legitmate despite any warning signs.
The best defense against this type of attack is to know what’s coming. not only that clicking links and doing unconfirmed favors is bad, but the types of lines that hackers use and why they have worked in the past. So let’s dive right into the psychology and methods of the social hacker.
Identity, Excuse, Urgency
The majority of social hacks follow the same basic formula: Identity, Excuse, Urgency.
First, the hacker assumes an identity that is sympathetic, believable, or powerful to the targeted employee. A customer, a boss, or a business partner who must be obeyed. Ideally, someone with authority over the target, but not always. Hackers may also pose as peers or even family members.
Then the hacker comes up with an excuse. What they need and why they need it. If it’s information, they have a reason to need the information. If’ it’s a malware link the target must click, there’s a reason for them to click it.
Finally, the hacker must create a sense of urgency and/or isolation so that the target acts without thinking, sending a message to anyone else, or going through the proper channels. It’s an emergency, it’s a lose-your-job situation, or sometimes a it’s one-time opportunity.
Let’s look at how Identity, Excuse, and Urgency are applied in fifteen different hacker lines that have worked in the past:
I’m a Client and…
Hackers often pose as customers in order to attack through a customer service vector. Customer service employees are often trained in the ‘Customer is Always Right’ school of thought and are directed to give customers everything they ask for, and not always within reason. New employees may not be well-versed in security protocols and gentle employees may give way when pressured, so it’s worth a hacker’s time to apply that pressure. Sometimes it’s a friendly attempt, somtimes it’s not.
“I can’t access my account. Could you just give me my password/security question answers/account number/balance real fast? Thanks”
Hackers love this ploy. It allows them to fish for private information about the customer they are pretending to be. Especially since people tend to use the same passwords and security questions from site to site, including their bank. If a hacker asks for an account number or balance, they are definitely planning to target and scam the actual customer in question.
“I need to [file some papers/get some answers]. Could you just open these documents I’m sending you?”
The classic malware ploy. hackers have been known to pose as customers and insist on ‘sharing documents’ just to get a staff member to open their malware attachment or follow an infected link.
“I’m trying to [make a withdrawal/closing the account/opening a new account] but can’t access my old login. Could you just transfer the money into my other account so I can move on?”
It’s customer service’s job to help clients with tricky account situations. But transferring money without a password and identity authentication? Never do it. Make them show up in person first.
“Someone broke into my account! I need you to do everything I say to make it right!”
Pretending to be hacked is an ultimate irony. It also allows hackers to fake ‘being wronged by the company’ to get customer service to do everything they say in a frantic rush without checking credentials.
“I’m very angry! If you don’t [give me information/click this link/transfer money] then I’m gonna get you and everyone you know fired!”
Another form of urgency is the ‘angry customer’ who will yell, hurl insults, and level threats in order to bully customer service into clicking links, revealing info, or transferring money.
I’m Your [Family Member / Good Friend] and…
Sometimes, a hacker will skip the business associations and pose as a personal contact of the target instead. Often with details harvested from social media. They may pose as a nuclear family member needing info, a distant but good friend who needs a favor, or even your own child experiencing a college emergency.
“I’m filling out this fun new personality quiz. What was your mother’s maiden name again?”
Stop. Any time an email asks you for security-question-like answers, you probably shouldn’t answer. Especially if it’s something a close friend or family member should already know or have a way to find out. You might even be able to toy with a hacker who has been caught pretending to be someone you know. “You were at my wedding, did you really drink so much that night that you forgot my maiden name?”
“I’m stuck in New Mexico without bus fare! Could you just wire me enough for a bus ticket and I swear I’ll pay you back soon!”
Hackers may try to pluck at your heartstrings by creating a fake emergency. The hacker is likely relying on your concern for their fake identity to cause you to leap to the rescue, sending money or data or opening a sent link without thought in order to help. Be aware, bus fare is one of the least offensive tactics of this type. Hackers have been known to fake a number of alarming ’emergencies’ to force urgency. Always call your relatives on their phones or email through normal channels to confirm before assuming an at-work alert is real.
[Continued Directly into Part 2