Social Engineering. How Phishing works.
Social engineering, or as it’s called in a cultured society, behavioral biology, is the most important tool of any hacker. It is often used to gain initial access, and sometimes it’s the only thing a hacker uses.
For a basic understanding of how it all works with a person, I recommend listening to the course by Robert Sapolsky — “Human Behavioral Biology” (eng) (рус)
Today we will talk about one of the main types of attacks — Phishing.
Phishing is so named because it is very akin to fishing. Just like a fisherman, a hacker casts a hook and waits for the victim to bite.
The essence of phishing is to present the victim with a very plausible fake and make them perform the action necessary for the hacker.
For example, it could be a letter with an attached document, which is actually a malicious program. Or an SMS, supposedly from a bank, saying that you urgently need to provide some documents, otherwise your account will be blocked, and a link leading to a login form in a client bank (only it’s not the bank’s site).
Here is one of the stories of an acquaintance hacker who used this method:
Or another story with a well-known company:
Why does this work?
Our brain, as many of you know, operates on two levels, just like computers — frontend and backend, i.e., conscious actions and unconscious ones (habit, emotional actions, base instincts, etc.). In the first case, we carefully weigh every bit of information, well, I’d like to hope so, but in the second case, we leave the reins to processes that are not very scrupulous.
The brain works this way because otherwise, it simply couldn’t function at all. Conscious processes are very slow and consume a huge amount of the body’s resources, and are therefore terribly inefficient. Just imagine if you had to consciously make your heart beat or your lungs breathe, a slight distraction, a moment of thought, and that’s it, you’re dead. This is exactly why there is this division.
But apart from the good, such a division also carries danger, and not a small one. It creates patterned behavior, and every time we need to make a decision, our brain asks, “Should this be handed over to the subconscious or consciousness?” Unfortunately, this process also needs to be fast, and therefore, if the situation is hardly distinguishable from other situations, the brain hands it over to the subconscious pattern.
For example, let’s take how you cross the street at a regulated crossing. Often in a crowd of people waiting for the green light, there are only a few who are actually looking at the traffic light, most react not to the signal but to other people starting to cross the street. I’m sure many of you have seen how often someone started crossing on red, and many people from the crowd followed him, then stopped seeing that the traffic light signal is still red.
All this is exacerbated by the level of brain load, the higher it is, the greater the likelihood that the decision will be passed to the subconscious. Such cases can include moments when the brain is occupied with some serious activity, such as talking to someone, some calculations, strong visual attention, rush, stress.
That’s why, for example, it’s prohibited to talk on the phone while driving a car. The brain simply cannot cope with two critical processes, and one of them blocks the other. I’m sure many have noticed that people who are busy with some heavy calculations, during a conversation, are significantly slow. That’s exactly it.
How is all this used in Phishing?
The main task of such attacks is not to scare your brain and not to activate your consciousness but, on the contrary, to do everything possible so that everything is processed by pattern.
For this, usually, the following approaches are used:
- The urgency of the situation (Time limitation)
- Expectancy. For example, you know that you should now receive a certain letter.
- Trust. You receive a message supposedly from a friend you know well.
- Habit. You know what the online cabinet login template looks like, so you confidently click.
- Bait. You see some very cool offer, for example, a 50% discount on a laptop you’ve wanted for a long time.
How to protect yourself from this?
Actually, just as the attack itself works — develop a pattern of safe behavior. In critical actions, always force yourself to check the main red flags:
- Is the sender trustworthy? Does the name, email/phone match?
- Where are you going? Does the domain match the expected one?
- Adequacy. Can such a message even exist?
- Expectancy. Should you even receive something like this?
- Urgency. If something is urgent — be even more meticulous.
- Downloading files. Why is the person sending you attached documents instead of sharing them through Google Drive, for example?
If unsure — double-check. You received a message from the bank — call your manager at a known phone number and clarify. Sent a message from a payment system — do not follow the link, open a browser and enter a known address manually, and only then log in.
Hope this helps you avoid problems. In future articles, I will cover more aspects of security and social engineering.
If you find this topic interesting — don’t forget to follow me here and on my Linkedin.