The psychology behind why we fall for social engineering attacks

John McAfee, during his entertaining if always doomed assault on the White House, made various boasts about hacking this and that through social engineering; the act of tricking people into handing over access and information.

Social engineering – everything from phony emails with dodgy links to fake phone calls asking for information – are becoming more common. Phishing emails are reportedly at their highest level for more than a decade.

During her talk, How to hack a human: anatomy of a social engineering attack, at InfoSecurity Europe Dr Jessica Barker, an independent consultant and sociologist, explored the human drivers of cyber security.

According to Barker, social engineering is as old as time. As long as people have been around, there have been other people trying to con them. In the early 1800s, for example, American industrialist Francis Cabot Lowell tricked his way into tours of English cotton mills and based his own machines in the US on the blueprints. They work because of a “mixture of human nature and social norms being used against us,” and the rise of online communications has merely given attackers new ways of exploiting those human flaws.

So how do hackers abuse human nature in cyber-attacks?

Reciprocity and social obligations

“We feel indebted to people who do us favours,” Barker explains. As a simple example – a recent study showed nearly half of people would give up a password in if given chocolate just before being asked for it (though the figure was significantly higher in a similar 2004 study). While most hackers don’t provide chocolate, simply being nice can be enough to get hackers what they want.


We’ve all seen clickbait titles with alluring images, the ones that lead to questionable sites laden with viruses, not to mention those emails we know aren’t ‘that document we discussed earlier’. But Barker argues our natural curiosity inevitably gets the better of us, even if we are almost certain it’s a bad link. That curiosity, she says, “eats away if we don’t check it, just in case it’s real.”


People are generally good and inherently trustworthy, which is a problem online. “Naivety is something we have to battle against,” says Barker. People find it hard to imagine others acting maliciously, meaning links are often clicked no questions asked.


“We see overconfidence taken advantage of all the time,” says Barker. Spear Phishing emails aimed at CEOs – so-called “Whaling attacks” – are becoming more common, and often the experience built up over a number of years gives execs a sense of overconfidence that end up costing massive amounts of money and usually several jobs.


Narcissism has grown as sharply over the last decade as obesity. Where fatties gorge on sweets and chips, millennials binge on social media. The constant desire for more friends, and then telling them where we are and what we’re doing inevitably opens us up to attack. Social engineering attacks such as catfishing become much easier if you play up to a target’s narcissism.

So what can CISOs do to try and prevent people from falling for these kinds of tricks?

Barker subscribes to the Nudge theory – where small things can help steer people away from doing something they shouldn’t and into good behaviours – and creating a strong cyber-security culture within organisations is the best option.

“When we tell people what to do, they find workarounds,” says Barker. She likens nudges more to GPS, it helps without forcing people.

She uses password strength bars as a good example of nudging people to be better at security – adding that ones that use smiley faces are more effective because “emojis are really good at affecting behaviour”.

The way security treats its users is important – the Golem effect vs. the Pygmalion effect. “If you treat people well and respect them, you get more out of them.” If you treat them as stupid and part of the problem, then you’re going to have more security events to deal with.


« World Wide Web Day: Google's brain re-wiring to constant-connectivity


Big Tech diverting funds away from lobbying? »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?