Written by Anastasios Arampatzis*

Social Engineering is defined as the psychological manipulation of human behaviour into people performing actions or divulging confidential information. It is a technique, which exploits our cognitive biases and our basic instincts, such as confidence, for the purpose of information gathering, fraud or system access. Social engineering is the “favourite” tool of cyber criminals and is now primarily used through social networking platforms.

Social Engineering in the context of cyber-security

The conduct of the staff has a significant impact on the level of an organisation’s    cyber-security, that by extension means that social engineering is a major threat.

The way we train our staff in cyber-security, affects the cuber-security of our organisation, as such. Recognising staff’s cultural background of our company and planning their training in such a way that responds to various cognitive biases can aid to the establishment of an effective information’s security. The ultimate objective should be the development of a cyber-security culture within the meaning of attitude, notion, cognition and behaviour that contribute to protect sensitive and relevant information of an agency. A substantial part of cyber-security culture is the risk awareness of social engineering. If the officials do not consider themselves as part of this effort, then they disregard the security interest of the organisation.

Cognitive exploitation

The various techniques of social engineering are based on specific characteristics of the human decision-making process, which are known as cognitive biases. These biases are derivatives of the brain and the procedure of finding the easiest way possible to process information and take decisions in a swift. For example, a characteristic feature is the representativeness, the trend namely, to group related items or events. Each time we see a car, we do not have to remember the manufacturer or the colour. Our mind sees the object, the shape, the movement and indicates that this is a “car”. Social engineers exploit this characteristic through sending phishing messages. We receive a message with the logo of Amazon and we do not check if it is false or not. Our mind says that this is coming from Amazon, that we trust it and so we click the link and we give away our personal data, as our card number. Similar attacks aim to interception of confidential information for the staff, as i.e. manipulation, fraud by phone. If any person is not adequately trained to face such attacks, he will not even understand their existence.

Principles of Influence

Social engineering is largely based on the six principles of influence, as outlined in the book of Robert Cialdini “Influence: The Psychology of Persuasion” which briefly are:

1. 1. Reciprocity: obligation to give when you receive
   2. Consistency: looking for and asking for commitments that can be made
   3. Consensus: people will look to the actions of others to determine their own
   4. Authority: people will follow credible knowledgeable experts
   5. Liking: people prefer to say yes to those that they like
   6. Scarcity: people want more of those things there are less of

The scandal of Cambridge Analytica

After the election of the President Trump many media were discussing the possibility that social engineering strategies might have been used to influence public opinion. Revelations for Cambridge Analytica and the data’s use of users of Facebook does not only raise doubts as to data’s privacy and the lack of user’s consensus, but demonstrates the ease with which companies can plan and raise social-engineering campaigns against a whole society.

As for commercial advertisements, it is very important to know your target group, in order to reach your goal with the less possible effort. This is true for every influential campaign and what the scandal of Cambridge Analytica proved is that social engineering is not only a threat to cyber-security of a company or an agency.

Social engineering is a threat to political stability and the free and independent political dialogue. The advertising techniques used in social networking platforms raise many ethical dilemmas. Political manipulation and spreading misinformation and disinformation largely alleviate the existing moral issues.

The threat to Societies 

Is it possible for social engineering to trigger a war or social unrest? Is it possible for foreigners to deceive citizens of a state in order to vote against their national interest? If a head of a State (I will not use the word leader) wants to manipulate his/her State’s citizens, can he/she succeed it? The answer to all these questions is yes. Social engineering through digital platforms, which have invaded every social structure is a very serious threat.

The fundamental idea of democracy is that the power is vested in the people and exercised directly by them. Citizens can express their opinions through an open, protected and free dialogue. Accountability, especially of government officials, but also individuals, is equally an important principle of democracy. Through the mass collection and exploitation of personal data with no accountability, these principles are endangered.

However, at this point it should be noted that it is not only social networking platforms to blame, such as Facebook, for any disinformation campaign or political manipulation. These platforms actually reflect our actions. We create our own sterile world, our “cycle of trust”. Therefore, the threat is not the means by themselves, even if they have a share of responsibility in their way of collecting data and advertising practices. The real threat are the devious ones and how they exploit these platforms.

Large-scale campaigns of social engineering, which are taking advantage of human trust, contaminate public dialogue with misinformation and distort reality and can pull societies back from the brink. The truth is doubted more than ever and political polarisation is increased. Spreading news on social media with no accountability leads to political distortion, lack of confidence in the political system and the election of extreme political parties. In brief, social engineering is a serious threat to social and political stability.

Response to the threat

The key to tackling social engineering, considering that tactics are aiming to lack of knowledge, to our unawareness and our prejudices, is awareness. The approach of raising awareness has dual effect: on the one hand we can develop strategies and good practices to confront social engineering as such, on the other hand we can develop policies to reduce the results of social engineering.

In contrast to what is happening in responding to malicious software, in order to address social engineering we cannot just “install” some kind of software to humans in order to stay safe. As Christopher Hadnagy notes in his book “Social Engineering, The Art of Human Hacking”, social engineering requires an holistic, people-focused approach, which will be focused on the following axes:

1. 1. Learning to recognise social engineering attacks
   2. Creation of a personalised program on cyber-security awareness
   3. Consciousness of the value of information searched by social engineers
   4. Constantly updated software
   5. Exercises through a simulation software and “serious” games (gamification)

Confrontation of social engineering should become part of a wider training of our digital security. To combat social engineering on a society level we should be trained for the vulnerability of modern means of communication (i.e. social media), for the reasons, why they can be used for people’s manipulation (i.e personalised advertising, political communication) and for the ways in which they are manipulated (i.e. fake news). Awareness is the key to develop critical thinking against social engineering.

*Anastasios Arampatzis is member of Homo Digitalis, demobilised Officer of Air Force with more than 25 years experience in relevant aspects of security of information. During his time in the Office of Air Force, he was certified NATO evaluator in cyber-security cases and has been honoured for his knowledge and his efficiency. Nowadays, he is a columnist on State of Security of Tripwire firm and for the blog of Venafi. His articles have been published in many well-respected websites.

Written by Vasilis Vasilopoulos, DPO of ERT

Checking your credit card purchases you seem to be consuming a lot of snack, alcohol and fast food, and only a small part of your purchases in healthy foods such as vegetables, proteins and fruits. The fatty food that the machine can understand you buy   is registered on the screen of your insurer, who adversely changes the terms of your contract.

The insurance company has been notified of your low risk of heart disease, but the life you lead, according to what you say in your Instagram posts, probably puts you in the high risk groups, as you always keep a cigarette and a glass of alcohol while you are with friends at a bar. The insurer will not let his company risk with you.

If you think that all the above are scripts written for Netflix movies, then what happens now with surveillance capitalism can be easily explained. Because these scenarios really happen! In fact, your follow-up continues in every venue, in any online environment or smart device. If you are indifferent about your personal data, it is even worse to ignore the fact that those who collect them earn money from coming to conclusions from them.

Understanding the knowledge gap is terrifying. As every Bank assesses your creditworthiness to identify a bad payer who makes a comfortable life avoiding debt repayment, insurance companies also want to know, before and after signing a contract with you, anything that relates to your health and the quality of life you live. On the other hand recruiters would like to know everything about you and your social life. They would like to find out if you are in bed with a fever or at some recreation area and you deceived your employer.

The knowledge gap that can be defined as a lack of understanding of the ability of the algorithm to draw conclusions, which reduce losses or increase profits to the surveillant, is due to the unceasing rate of digital tools and the one-way   convenience, the charm of the comfort zone in work life, consumption of goods and our social relations.

Even worse, you cannot understand how you will lose something important, if the unknown who collects your data gain maximum profit. In other words, you cannot understand that you have sold your self-determination right to do what you want, enjoying a temporary sense of comfort and ease. For example, at the first level of   lack of understanding   algorithmic conclusions, you behave to your data as if they were worthless. On the second level, you realize that the algorithmic conclusion made from spying on your life significantly adds value to the one who took your data. Additionally, you are not sure if what you provided is a commodity that you exchanged with a free service of convenience, or a currency with which you bought luxury service for your everyday life.

There are tremendous questions you need to have answers to. To whom your data belong? Is data a commodity or a currency? Can be disconnected from yourself or are genetic features that define and allow you to decide on your life?

You can just do two evaluation tests yourself and you will get the answers that concern you:

-If you did not take up credit card convenience or if you did not follow the moments of entertainment and consumption of luxury goods, would you be losing or gaining from some algorithmic processing or more generally in your life?

-If you want to make yourself more secure of your privacy or hide from surveillance and the possible damage to your rights and freedoms, would this be a violent punishment or joy of celebrity since you reveal aspects of your personality, your relationships and behavior?

Written by Nikodimos Kallideris

“Everyone is guilty of something or has something to conceal. One must only look hard enough to find what that is” (Aleksandr Solzhenitsyn).

Frankly, did you know that according to statistical surveys the account holders on Facebook are more than five million in Greece? Respectively, active accounts on Google are even numerous with intensive growth rates…

Have you noticed that the use of the extremely useful and responsive accommodating services of both platforms is offered without any payment? They are totally free -or not? After all, it seems that they are not! The two platforms, like many others, “fed” on your personal data, that you provide them with during their use. Our personal data have been named the “the oil of the 21st century”. Of course, you have previously given your consent to provide them to the platforms; but really, are you aware of the volume of your personal data, that are stored in their servers?

Let us first look at Facebook:

As a data subject, you have the right to access (GDPR Article 15) according to which you can make a request and get in return from the company (the data controller) everything they have stored that concerns you. You can exercise the right to access following the link: https://www.facebook.com/help/1701730696756992

Having submitted the request and anticipated the necessary time for its processing, you will receive a file, in which you will find: all personal written or audio messages you have sent, the exact time, the place and the device with which you were connected each time in your account, the applications used, your photos and videos and there is no end… All these from the outset of your account’s creation until today!

So, let us come now to Google:

If you have turned on GPS on your smartphone, Google records the history of every location you have been to, in conjunction with the period you stayed at each of them and the duration of the transition from one location to the other. Do you want to find this out on your own? Follow the link: https://www.google.com/maps/timeline?pb

You can also find easily your whole search history from every device even if you have deleted it (https://myactivity.google.com/myactivity) but also your search history on YouTube (https://www.youtube.com/feed/history/search_history).

Seek now to download on your computer every stored data by Google (https://takeout.google.com/settings/takeout). Do not be surprised by the volume of the file, which for that reason will may need several hours to be sent. It is likely to be several gigabytes in size, always depending on the frequency and the type of services’ use. In the file, you will find everything; from the deleted e-mails up to your navigation history in every detail, your calendar, the events you attended, your photos, purchases you made from Google and many others… Besides that, if you are connected in various platforms through your Google account (log in with Google) many of your sensitive personal data are recorded unintentionally, such as the place you are staying at, you are studying or working, the number of your friends on Google Plus, your gender, your name or the languages you speak. Any movement you make on the Internet has left in clear and indelible lettering its digital footprint even if you are not able to remember it right now.

Photo shows the data that a platform of electronic orders learnt for Manos Mandrakis, member of Homo Digitalis, when he connected to it using his Google account. 

  Having followed the above steps, do you feel slightly numb or terrified? Not surprising at all! You might feel “digitally naked” and that an invisible power, such as Jeremy Bentham’s narratives, is constantly recording your moves and can make extraordinarily important conclusions from them. Against you or for your benefit? It depends on the incentives of your data’s holder. In any event, Facebook and Google possess information that you have never shared even with your family or your best friend.

Bear that in mind! The modern digital world of information offers you improbable facilities but also countless risks. Only you can protect yourself! And if you repeat the familiar and hazardous naive “I have nothing to hide” I would urge you to deepen on the saying written in the upper part of the article.