In the myth of Troy, the leaders of the famous city in modern-day Turkey thought they’d outsmarted the Greeks who had tried and failed to take the city by force. But the Greeks knew of the Trojans’ belief in superstition. And so they devised a cunning plot that played on it.
The Greeks constructed a giant wooden horse and placed their best warriors inside. Then they feigned defeat and retreated from the battlefield, leaving only the gigantic horse - seemingly a trophy for the victors - behind.
So, the Trojans wheeled the gift inside the city walls and the Greeks within waited for nightfall.
The famous myth of Troy, retold for thousands of years, is familiar to those of us working in cybersecurity. Because like the Ancient Greeks, modern-day social engineers are also highly-skilled at exploiting human emotions.
A 21st century equivalent of a large wooden horse is a bogus SMS message purportedly from a trusted friend or colleague. And inside that message lies a malicious link that can cause almost as much malaise as a crack group of Athenian warriors.
It’s often forgotten that many of the tactics employed by bad actors today are actually nothing new. The psychology of social engineering has been perfected by human beings for thousands of years.
We’ve sometimes described cybersecurity as being a bit like a form of martial arts. The defender is constantly having to enhance his craft to block attacks that are coming at him from all sides and are growing in complexity all the time.
The defender might sometimes think he’s on the verge of victory. But the attacker knows that he has a trick up his sleeve: deception targeted to appeal to base human emotions.
There’s a reason why social engineering often feels like such a pervasive threat, persisting despite the sophistication of cyber security tools. It’s because the psychology of social engineering is designed to appeal to human emotions. However smart we think we are, we’re all - even those of us who work in cybersecurity - susceptible to welcoming these emotions in a moment of distraction or vulnerability. And then we can be tricked.
Mimicry and deception exist in flora and fauna, too. There are plants and animals that pretend they’re something they’re not either to attract prey or to convince predators that they’re not worth attacking.
But the skills we now recognize as social engineering are most commonly associated with the human race. After all, we haven’t risen to the top of the food chain because of our immense strength and ferocity. Instead, our power lies in our intelligence, cooperation skills, and the trust that we place in one another. As Yuval Harari explains in his popular book, Sapiens, there’s no way the human race would have risen so far without our ability to tell stories.
It’s just that not all of these stories are true.
In 1943, the Allied forces needed to open up another front in Europe to alleviate the pressure on the Soviet Union. Sicily was the most logical choice - the only problem was that the Germans knew this, too. So, the allies needed to think of a way to distract them and convince them that Sardinia was the real target.
The solution they happened upon was more than a little leftfield. It involved an already-deceased man, a briefcase, and an array of manufactured documents.
British Intelligence procured the body of a homeless man in London and dressed him as a Royal Marines officer named Major William Martin. And in his briefcase, chained to his wrist, they stuffed a host of classified documents - all of which pointed to an imminent invasion of Greece and Sardinia.
The body was dropped into the sea off the coast of Spain to be discovered by Spanish fishermen. The British were confident that the Franco regime in Spain would hand over the plans they’d discovered to the Germans.
They were right. And the Germans were suitably convinced by the deceit to move sizable military resources away from Sicily.
Interpol defines social engineering in the following way:
Social engineering fraud is an extensive term that encompasses the tricks employed by criminals to exploit an individual’s trust, aiming to either directly obtain money or extract confidential information for future illegal activity. While social media is the favourite conduit, it’s not uncommon for these interactions to occur over the phone or face-to-face.
“To exploit an individual’s trust.”
This is the sad truth behind the psychology of social engineering attacks - they tend to prey on positive emotions. Though it might not always seem that way, we’re inclined to see the good in people most of the time and to act in a kind way towards others. That’s why you might have once held the door open for someone at your office building and only later wondered whether they actually worked there. Our instinctive reaction is to hold the door open before we begin to suspect the person walking behind us. This is something tailgaters are well aware of and their online equivalents are constantly looking to exploit it.
However it might happen, being tricked in the digital world is a massive problem on both a micro and macro level. For individuals it can cause savings that have taken years to accrue to disappear in seconds. And for the economy as a whole, the impact is shocking. Social engineering attacks have led to considerable monetary losses in the United States alone. In 2021, vishing attacks resulted in approximately 30 billion USD in losses, and in 2023, business email compromises had caused an astounding loss of 50 billion USD. Various research studies and reports categorise social engineering as an integral aspect of the majority of cyber attacks.
Much like the Greeks at Troy, modern social engineers often conceal their true intentions under the guise of presenting a gift. They use impersonation to exploit trust and other human emotions. They impersonate entities trusted by the victims - this could be their friend or bank - to dupe them into divulging confidential information, clicking on harmful links, or unwittingly installing malicious software. Much of the losses recorded in the US above are from victims’ bank accounts that they unwittingly allowed access to.
At the beginning of the 17th century, False Dmitry I ruled Russia for nearly a year after successfully masquerading as the rightful heir to the throne. He’s the only Tsar to have risen to power after a military campaign or popular uprising.
False Dimitry’s reign occurred during a tumultuous era in Russia known as The Time of Troubles. He claimed to be Tsarevich Dmitry Ivanovich, the youngest son of Ivan the Terrible - a boy who had supposedly died in childhood under mysterious circumstances.
A man of uncertain origins, False Dmitry surfaced in the Polish-Lithuanian Commonwealth around 1603. He asserted that the child who had passed away was not the Tsarevich, but a stand-in. He claimed to be the true Tsarevich who had been spared and had been living under the radar for years and began his bid for the Russian throne, arguing he had been unjustly stripped of his birthright.
Endowed with powers of persuasion and a slight resemblance to the late prince, False Dmitry I managed to convince numerous influential Polish nobles and the Catholic Church of his legitimacy. His declared intention to convert to Catholicism, which would bolster Poland's sway over Orthodox Russia, also won him allies.
Equipped with Polish support and several thousand troops, he spearheaded a march on Russia. His assertion of being the legitimate Tsar resonated with many, allowing him to grow his forces still further. His charisma and reformist promises endeared him to the common folk and even some boyars (Russian nobles).
Upon reaching Moscow, he managed to capture the Kremlin and was inaugurated as Tsar Dmitry Ivanovich. As a skilled social engineer, False Dmitry manipulated his surroundings through the guise of a royal persona, exploited the political environment, and utilized charismatic persuasion to secure the throne.
The key to False Dimitry’s success - however short (his name hints at his legacy!) - is the period of chaos he lived through. Pseudo-Philip was able to secure the throne in Macedon in a similarly turbulent period nearly two millennia earlier.
This story, too, is reflected in the modern-day psychology of social engineering. Because attackers using these techniques tend to thrive in times of upheaval and uncertainty. Times when emotions run high and rational thinking is often forgotten in favour of impulsive reactions based on emotion.
This helps to explain why there was such a surge in social engineering attacks during the covid pandemic. Bad actors knew that people were more vulnerable and more open to advice from authorities than they’d been for a long time. The conditions, in other words, were just right for people to fall for bogus bank messages and texts telling them their parcel would be released “if only they clicked on this link”.
The most accomplished social engineers can do more than merely exploiting such conditions. They can orchestrate situations where rational thinking is undermined, goading individuals into relying on emotions rather than lucid, rational thought. They engineer circumstances where human intellect is superseded by emotions.
And if anything, this task is infinitely easier for the modern-day social engineer because of the smartphone. It’s much easier to be tricked in a millisecond when you’re so used to reacting rapidly to notifications that ping almost ceaselessly on your device.
But don’t be fooled - the techniques attackers use are nothing new. The truth is they’ve been finely honed over thousands of years of history.
Check out our report into the state of mobile app security to understand how attackers exploit emotions in the digital world.