Social engineering attacks occur when perpetrators convince people to provide sensitive information or access. Which psychological tactics drive these efforts, and why do they work?
Fear of Missing Out and Sense of Urgency
People often bring up the fear of missing out (FOMO) when talking about life experiences or things they see their friends doing that they want to do themselves. However, FOMO is a common psychological aspect often exploited in social engineering attacks. Many cybercriminals expand their efforts to capitalize on urgency.
Someone might receive a text message claiming a problem with a parcel in transit, demanding more personal details if they want to receive the package. Another scenario is when a scammer insists that the person must pay a small additional fee — such as a customs charge — to release the package from an ongoing hold. Many people will comply without a second thought because they’re excited to receive the parcel.
These tactics often demand people act within a limited time frame, putting pressure on the recipient. Some scammers even threaten situations most people want to avoid, such as fines or jail time, insisting that individuals must respond promptly to prevent such ramifications.
Using these psychological tricks pays off for many scammers because they play on minor and more significant fears. People will comply with what is asked of them to avoid negative outcomes.
Empathy and Willingness to Help
Another increasingly common psychological method is when the scammer poses as someone who legitimately needs access to a corporate network. A recent version of this scam involves the criminal calling a tech support line and impersonating an employee from a company’s finance department who needs to use a new smartphone for multifactor authentication because their current one is not working.
The tech support person is also more likely to believe the scammer when they have correct information about the impersonated employee, including their Social Security and corporate ID numbers. In one recorded instance, scammers used this trick to impersonate an organization’s chief financial officer.
These cases exploit people’s empathy and willingness to help. Most individuals have been locked out of online accounts and can remember how frustrating it is. Consider how tech support professionals’ roles consist of helping users get out of this situation as smoothly as possible. Since the scammer can pass security checks by providing the correct information about the individual they’re impersonating, the tech support representative has little or no reason to suspect anything is wrong.
Brand Recognition and Trust
Statistics indicate 98% of cyberattacks have social engineering elements. Those who orchestrate them understand it may take a while to get the desired results. Many attackers spend weeks getting to know their targets and earning their trust.
Sometimes, that means posing as someone the victim already trusts, such as a payroll department employee. Suppose a worker has on-time paychecks for the past several years. Then, they might receive an email from someone seemingly responsible for getting people paid that says they must provide additional information or verify what is already in the system. Recipients would almost certainly comply because of the well-established history of trust.
Research shows people clicked malicious links in phishing emails 50% of the time when hackers used social engineering tactics. That finding explains why such messages so commonly contain branding from recognizable companies. Suppose someone sees a message from Amazon, PayPal or their bank requesting their password or other personal information. In that case, they’re more likely to immediately trust the content because it comes from a recognizable company.
Trust also factors into social engineering-driven breaches of physical security. Imagine entering a secure area and someone dressed as a maintenance worker calls out from behind you and asks if you can hold the door. You’d probably see the person’s apparel and quickly trust your instinct that they are there for a legitimate reason and have access rights. However, your decision to be polite by facilitating entry could cause security issues.
Curiosity and Social Proof
Humans are naturally curious, and many criminals develop social engineering methods to capitalize on that reality. They use tactics that catch people’s attention, hooking them enough to follow through with their desire to learn more.
Earlier in 2024, representatives from an Irish bank warned customers of fake news articles that try to entice readers to invest in bogus investment opportunities. They explained how people who click on such content get redirected to sites that mimic legitimate publishers, often including the bylines of reporters who actually write for genuine sites and feature the same graphics or site layouts.
The fake articles feature clickbait headlines, such as those implying the content details something everyone should know about or information so powerful that people have sued to stop it from getting out into the world. Such tempting language only stirs someone’s innate curiosity even more.
Some of these misleading articles also feature the names and images of celebrities or prominent politicians. Scammers using that tactic emphasize social proof, which exerts influence by convincing people that others have decided to take advantage of these investment opportunities. If someone thinks a movie star or respected authority figure has participated in them, they will be more likely to do the same.
Social Engineering Experts Understand Human Psychology
These examples show why social engineering attacks are more likely to succeed when those behind them know how people’s minds work. Fortunately, increased awareness simultaneously makes individuals less likely to fall for these attempts, making it continually important to spread the word about these tactics.