Choose your topics

The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Penetration Testing, Cyber Security

Hacking People: The Psychology of Social Engineering

Hacking People: The Psychology of Social Engineering
Written by

Ellie Owen

Published on

30 Oct 2018

Hacking People: The Psychology of Social Engineering


Preparing for Social Engineering Attacks

Social engineering is a perfect example of a security vulnerability that requires the human touch to understand and combat. For this reason, even the most extensive GRC software needs to be married together with the expertise that only experienced governance and cybersecurity teams can offer – to form a robust compliance and risk management plan


Identifying vulnerabilities within the human side of your workforce and resources, and developing a series of solutions and fail-safes, requires a combination of penetration testing and adversary simulation – to see how easily attackers could gain access to systems via your staff, and then how easily that access could become detrimental.


While much of the focus of penetration testing within any risk management plan is often centred on the tools used in cyber-attacks, there is an important role for social engineering in the attackers’ physical estimation of a business when preparing to hack them. This includes trying to gain access to offices to gather intelligence, obtain credentials, and gain access to the IT infrastructure from within the building. Attackers will assume a plausible guise, with a plausible explanation, for needing this information. 


SureCloud consultant Sarka Pekarova shared her expertise at BSides Manchester, one of the UK’s leading hacker and cybersecurity conferences, and spoke about the role of psychology in social engineering exercises.


This aspect of penetration testing is all about manipulation and deception, rather than trying to outsmart a machine. It is just as crucial in improving an organisation’s security risk management as probing networks for vulnerabilities. 


But what does this look like in practice?


Here are some of Sarka’s key considerations when launching  social engineering penetration testing.


Creating a Persona

One of the most critical considerations of any social engineering attack is creating a persona that you know inside and out. You wouldn’t want to give away your real identity or intentions, but equally, you need to be able to appear genuine, respond promptly and not give away any signs that you may not be who you say you are. 


Establishing a convincing and manipulative persona and becoming that person is the crucial first step in getting targets to believe in you and behave as you want them to.


Reading Pacifying Behaviour

Confrontation is commonplace in a social engineering penetration test– people challenge who you are, why you’re there and what your intentions are. From the perspective of the attacker, it is crucial that this is successfully navigated, and requires them to accurately read the body language of the person confronting them.


As the attacker, for those that are challenging me, it is usually a stressful experience. It’s not something they feel comfortable doing, and under stress, they will start to exhibit pacifying behaviours that inform me on how I should approach them. 


A common misconception is that it is the face that gives away the most in these situations, however, the face is the easiest part of the body for people to control. It is actually people’s extremities – i.e. hands, feet, arms, and legs – that give away the most.


For instance, a person speaking to me with one leg pointing away forming an L shape signals that they want the encounter to be as brief as possible. This tells me that if I speak in vague terms, they are unlikely to challenge me further, or that if I quickly flash fake credentials, they are likely to accept this without digging deeper.


Equally, if a target begins stroking or rubbing their neck with a hand, this signifies that they are calming themselves to deal with the situation in a considered way to ensure they are acting appropriately. In this instance I might try to fluster them, by talking quickly, for example, to hurry them into a mistake before they can fully gather their thoughts. However, if a target folds their arms, it means their guard is up, and I have to be more considered and offer more detailed responses that make my presence seem more credible.


Reading Facial Expressions

While the face is easier to control, this does not prevent it from giving away small tells about the target’s emotion and how they are thinking. 


Facial tells can loosely be split into six categories: fear, content, surprise, happiness, anger, and disgust. As targets can manipulate their faces, they often give away quick glimpses of how they are feeling before they establish control. For instance, a split-second lip raise is a sign that somebody is happy or content with how you are interacting with them.


By looking for these minor tells, it becomes possible to tailor my interaction with them to achieve my goal, manipulating their emotion to allow me to proceed.


Exploiting Stereotypes

When it comes to social engineering, I will often look to exploit the stereotyped behaviours of the different genders. 


For instance, when trying to gain entry to an office if I can see that the gatekeeper is female, I will pretend to be on a phone call to a boyfriend who is upsetting me as this will often generate a sympathetic response that I can work to my favour.


Equally, if the gatekeeper is male, I will again pretend to be on the phone with a boyfriend, but act angry, ranting into my mobile as men tend to want to steer clear of this behaviour and will give me access just to avoid confrontation with me.


Manipulating the Situation

A final tactic in a social engineering exercise is to create or manipulate a situation that guarantees you will get what you want. For instance, in an open plan office, you might be able to establish who the manager is. You can then approach them, announcing very loudly that you are from head office and you need their laptop as it has been flagged that as a result of viewing porn it has malware running on it.


Out of embarrassment and desperation to clear their name, they will very quickly hand over the laptop – which will usually have all credentials and elevated access rights on it – that can then be taken away and used to gain access to the infrastructure in a cyber-attack or in this case, a penetration test.


Manage the Risks of Social Engineering Hacks

With so much focus on the technical tools required to compromise a network, it is often overlooked that networks and devices are manned by people. 


As such, when evaluating vulnerabilities, it is critical that social engineering is an integral part of penetration testing.


Penetration testing and adversary simulation of this kind are an integral part of overall security risk assessment and management within a business. Understanding where opportunities for socially-engineered attacks arise in your day-to-day processes is the first step to overcoming them. As such, they should be built into your business’ compliance and risk management plan.


Read more about our social engineering services.



Watch Sarka’s BSidesMCR Presentation here.