Today, over 5 billion people use the Internet, which is growing. Most people regularly visit social networks and use platforms, like a Hellspin login site: it’s there that we often post confidential information about ourselves. It isn’t surprising that more and more people online prey on our identities. Let’s find out what social engineering is and how not to fall into the trap of manipulators.
Two Ways to Make a Decision
In the last decade, it has become clear that such ethical categories as lies and deception are quite relevant in a scientific context – thus, they are particularly interested in behavioral economics and social psychology. In psychology, the field that studies the phenomenon of deception lies at the intersection of individual psychology, decision-making psychology, management psychology, and moral psychology. Here we study different variants of influence, which include manipulation of other people’s consciousness and behavior because deception can be called any situation in which the manipulator induces us to make a decision that meets his interests, not ours.
In the information space, mainly on the Internet and over the phone, the most common means of manipulation is to extort money or personal information from the user. The manipulator, in this case, is a lawbreaker, and his “victim” is the person who makes a decision he didn’t even think about ten minutes ago. In social engineering, there is a whole set of socio-psychological recipes, the purpose of which is to first manipulate the consciousness and then the person’s behavior. The main thing in the psychology of deception is to influence the decision-making process.
Daniel Kahneman was the first to describe a two-step model of decision making, according to which two levels of thinking can be involved in making choices. The first level system is a system that is based on stereotypes and allows us to react very quickly, though not always rationally, to a situation: we apply a learned pattern of behavior and act as usual in the new circumstances. For example, when a person is told that he is in danger or that his money has been stolen from him, he first resorts to stereotypical actions to avoid this.
The second level system is rational thinking, which allows us to determine that we are being deceived. At this stage, a person compares and filters information, separating useful information from useless or even harmful, and finally makes a well-considered conscious decision. But because this level involves a slower and more energy-intensive cognitive process, conscious decision-making control tends to come on later and less frequently. Studies in economic psychology suggest that we are irrational and rather spontaneous creatures – for example, we often buy the wrong thing.
Attackers try in every way to stimulate the first automated decision-making mechanism, so in a situation of rapid manipulative influence, the victim often does not have time to critically assess the incoming information. Moreover, deception’s psychology involves inducing a person to make an unfavorable decision by combining plausible information with implausible, true with false. In addition, a person’s focus of attention is quite narrow. If it’s focused on work, household tasks, or driving a car, there are few resources left for critical information analysis. Most manipulators appeal to this situation to influence the decision-making process.
Phishing, Vishing, Smishing
Phishing is the most widespread method of manipulation on the Internet today. In this case, the attacker sends the user an email that looks like a message from a bank, online store, social network, or other credible organization. The email message states that the user’s account has been compromised, suspicious activity has been detected, and requests verification of personal data or a link to pay for a purchase or receive a discount coupon. After taking the “bait,” the recipient clicks on the link or opens the attachment to the email – and gets “hooked” by those who thus gain access to confidential information.
Another common technique is phishing by telephone or vishing. A person receives a phone call and poses as an investigator, a tech-support specialist, or a bank security officer, stealing personal information such as bank card details. The victim voluntarily provides numbers and codes that can be used to access the money account. Another type of phishing is smishing, i.e., using SMS conversations and messengers for the same purposes, usually to extort financial information. Such text messages contain links to a malicious site or software which steals personal data.
Pretexting implies that the attacker has prepared thoroughly and will act according to a script developed in advance for a specific person. He may have found the name, date of birth, number of the passport, or the person’s card to gain trust and get other valuable information such as a CVV code or online banking password. By the way, most of the preparatory information can be gathered from public Internet sources such as social networks, whose users voluntarily put a variety of information freely available. In the end, some use so-called “shoulder surfing”: it’s common in transport, stores, cafes, bars, and other public places.
How They Try to Outsmart Us
Most social engineering techniques are based on the same techniques to activate the unconscious decision-making stage and prevent a rational assessment of what is happening. To do this, the effect of surprise is often used, such as calling in the middle of the night to catch a person in a vulnerable physiological state: due to the weak involvement of consciousness, he is unlikely to be able to defend his interests. Or they catch us in a certain emotional state: for example, almost everyone is periodically under stress and therefore cannot fight back in time, or is in a state of peace and complete trust in the world – and during this period, we don’t intend to defend ourselves from ill-wishers at all. Another technique is to make it clear: there is no time; it’s necessary to act quickly. Otherwise, something terrible will happen. For example, a woman with a teenage son receives a call: on the receiver, a frightened teenage voice says something quickly, confusedly, in a half-whisper, uttering “keywords.” The voice is difficult to recognize, and most mothers will go along with the deceiver in the first seconds.
Users may also receive identical, faceless emails or SMS messages that look like a standard mailing, counting on people automatically clicking on the malicious attachment and skipping the process of rationalizing their actions. The technique seems completely different, but it appeals to the dormant parts of our consciousness – just like the gentle hypnotizing with tons of incoherent information. In this case, the manipulator quickly overwhelms the interlocutor with a large volume of contradictory or difficult-to-digest data, thereby confusing him. For example, a person is sitting in the office and is busy working; a phone call comes in from the bank: they tell him that there is suspicious activity with his card, and he needs to transfer all of his money to a backup account. Since something like this could happen, and the focus of the victim’s attention is on work tasks, there is a high probability that the deception will succeed. When we perceive several layers of information at once, we often miss important details and react too late.
Another typical technique is the provocation of consent responses. At the beginning of the conversation, we are asked to confirm a few details: “Am I talking to Ivan Ivanovich?” – “Yes,” “Is this your phone number?” – “Yes,” “Do I understand correctly that you have an account in such a bank?” – “Yes.” It is believed that after three of these “yeses,” the trusting contact is already halfway established, and the likelihood that we will tell the caller, for example, the secret code, increases.
Another category of people who find it difficult to say “no” are authority figures like police officers, bank officials, and representatives of international organizations; scammers may introduce themselves to gain the victim’s trust and willingness to listen. In addition, we begin to trust the interlocutor when we feel comfortable with the situation: for example, if we are given to understand that something or another action is a way to secure all parties to the transaction. In any case, it’s worth remembering that deceivers use these and other manipulative strategies in the hope of putting critical thinking to sleep and provoking reckless, stereotypical reactions.
How to Resist
A universal recipe for protection against any deception is a reasonable lack of trust. It is associated primarily with self-control, that is, with the ability not to be fooled by your first reaction but to resort to the very two-process system of decision-making. Since the techniques of manipulators are aimed at limiting the work of the second level system (so that the victim, before he or she has had time to think, commits an action to his or her detriment), it is possible to resist them by developing self-control in stressful situations.
Arbitrary control of decision-making requires serious cognitive effort, but techniques from social psychology, such as the universal rule based on Harold Lasswell’s communication model, can make the task easier. Having received any message, it is necessary to analyze it according to five points: who, to whom, and what exactly is communicated, what channel is used for communication, and most importantly, for what purpose.