How to not get scammed! 🦹🏻‍♂️ A guide to preventing social engineering.

I've recently delivered an awareness session for a client on how to prevent social engineering. Social engineering is one of my all time favourite subjects as all breaches involve the exploitation of human psychology to some degree, and it's more reliable a vector than exploiting the technology or processes of an organisation.

The material I used was something I originally wrote 7 years ago. As I was updating the content it was eye-opening to see how far the tools of social engineering have changed (nice one AI) but the underlying tactics and techniques have stayed the same.

Keeping up with the arms race of tools is a never ending battle. Learning to keep up with how trying to spot phishing or a deepfake etc is time consuming and paranoia inducing. So instead of putting effort into disarming the threat, we should look to patch the vulnerability. For social engineering this means understanding the inherent flaws in our psychology that lead to the cognitive biases that the criminals exploit. If we understand our own thoughts and actions better, we can prevent them being exploited.

If your guts giving you a bad vibe, ask yourself 3 simple questions:

1️⃣ "What am I being asked to do?"

Is this person ask me to do something with a high risk?

(does it involve payments; sharing passwords, secrets, commercially sensitive data, or regulated data etc.)

2️⃣ "How am I being made to feel?"

Criminals will act in a way that is:

likeable 😊

empathetic 🫂

authoritative 👨🏻‍🏫

or credible 👩🏽‍💼

This puts you a state of:

comfort 😌

helpfulness 🤲🏼

fear 😰

or carelessness 🙊

These emotional states make you more likely to make mistakes and act in a way that's not in your best interest.

3️⃣ "Am I acting on auto-pilot?"

95% of our actions in a day are unconscious and done auto-pilot (systems 1 cognition) Criminals are counting on you doing what they ask without giving it much thought.

Only 5% of our day is spent acting rationally using our brains. This type of thinking takes time and costs mental effort (system 2 cognition).

If you feel like you're acting from a place of emotion, take your time to act from a place of rationality. Slow down. Think how you can verify the request with another person, or via another channel. It's always worth pausing to prevent an incident occuring)