Paris riots and corporate security

I was recently hired to speak at an event in Paris. I love the city however this particular visit was during an unfortunate time. Paris is suffering from some of the worst and most violent rioting in many years.  As a social engineer I am interested in human behaviour and one particular area of interest for me lies in the principle known as “social proof”.

Paris Burns

What started as a revolt against fuel prices turned into a full-blown, violent rejection of President Macron’s reforms. The gilet jaunes or “yellow vest” movement, so named because of the yellow safety jackets they wear, began protesting in mid-November. What started as peaceful protests morphed into explosive clashes with police. Demonstrators have been ransacking shops, smashing up part of the iconic Arc de Triomphe, barricading roads, setting cars ablaze and violently clashing with police. Police have responded with teargas and sadly so far seven people have lost their lives. Across the country over 130,000 people engaged in demonstrations in one weekend. A 12hr battle went on between police and rioters in Paris at the weekend. Many are claiming it has gone beyond a riot and to the “point of insurrection or even civil war”.

The great majority of rioters are men and women in their 30’s and 40’s. probably hard working, law abiding, moral members of society who are now caught up in a mob committing acts they probably wouldn’t have even entertained a while ago.

Likewise, you are probably sat reading this sipping your coffee unable to relate to a feeling where you would smash up a priceless monument or set a car ablaze. Yet ordinary coffee drinking individuals like yourself can change from peaceful protesters to violent rioters. How does this happen? There are many factors at play in each scenario, from the underlying grievances to police response and even the temperature in which the protest occurs. However, there is one social factor which rears its head in these cases. It is a hugely persuasive force that can influence us all. This principle of persuasion is known as “Social Proof”.

A Crash Course In Social Proof

Social Proof boils down to following what others are doing when we are uncertain of how to act ourselves.

As a principle it provides us, as human beings, with a mental shortcut for working out how to behave without weighing up the pros and cons of everything we do. This allows us to act fast, however these mental shortcuts can leave us vulnerable to attacks by profiteers and malicious actors. You will see this being used every day in advertising in phrases such as “fastest selling product” or parading “average joe” in front of a camera to testify how amazing the product is. Trying to encourage us to follow others and buy the product.

Kitty Genovese

One of the most famous and perhaps disturbing examples of just how powerful social proof can be is the Kitty Genovese case. Kitty was murdered on her home street on her way home from work in New York. During the investigation the police uncovered something disturbing. Everyone in the block of flats outside of which she was murdered had heard, and in some cases seen, the murder taking place. They did nothing. These people were presumably good, moral citizens so how could they do nothing?

The bystander effect

Psychologists theorised that bystanders (the neighbours) would be less likely to act if there were other bystanders present too who were also doing nothing. You have probably experienced this before without realising it:

Let’s say that you come across a man lying on the pavement outside of the train station. Looking at him you have to decide whether he needs help or not. Is has he had a heart-attack or stroke or is he a drunk merely sleeping it off? You will look around for “evidence” to help you decide. Are there ambulances coming towards the man? How are the other commuters reacting to the man? Everyone else seems to be walking straight past him. So what do you think your mind would conclude? The crowd has formed a tribe and the tribe’s behaviour has told you it is okay to ignore the man. This is exactly what happened in the Genovese case.

The tribe mentality can be better understood as the “safety in numbers” idea. We believe that if everyone is doing something then it must be okay, safe and morally acceptable. We look to others for guidance when we are uncertain as to what to say, how to act and who to follow. Social proof therefore operates best alongside uncertainty.

Social Proof and “Mob Mentality”

“Mob mentality” is closely linked to social proof. Being part of a large group can lead to deindividuation, feeling less of an individual. The main consequence of this is we experience a decreased level of self-evaluation. We are less critical of our own actions and our threshold for what is not acceptable behaviour drops. We will start to allow the group as a whole to dictate how we behave as individuals. In a group we feel less personally responsible for our actions. “Everyone else is doing the same thing so I won’t be singled out”. This “mob” behaviour has been studied extensively by psychologists over the years. They have also discovered that the more we identify or relate to a group of others the more likely we are to conform to what they are doing. You can see this in the Genovese case (the bystanders were all neighbours) and the France riots (a shared political goal).

Shared sense of disenfranchisement?

In Paris the groups that are rioting have a shared political goal and a shared sense of disenfranchisement. They identify strongly with each other and so, because they are fighting for the same cause, they will feel more strongly compelled to conform to the actions of the group as a whole. This is why ordinary, law abiding people can end up as part of a violent mob carrying out acts that they probably would have shaken their heads out weeks before. This is also why you may watch the riots and struggle to understand why they are behaving as they are. You are not part of their group.

Social Proof and Compromising Company Security

In information security, understanding how social proof can operate to compromise a company’s security is very important. Social proof is a hugely effective weapon deployed by attackers against un-suspecting, hard working employees.

Here are a few ways that malicious actors could deploy this weapon against you:

1. Phishing:

Malicious emails are by far the fastest growing and most prolific attack vector around. Attackers can use social proof in their phishing emails to encourage staff to open malicious attachments/ links or input their credentials.

“Dear Kevin,

Please can you ensure that you fill in this end of quarter staff appraisal. Your Christmas bonus can’t be assessed until it is complete, and you are one of the only employees yet to complete it……”

This leads Kevin to deduce that a) everyone else has done it so it must be safe and b) even if it is malicious, he won’t be held personally responsible because everyone else has done it too. His feelings of personal responsibility have reduced, and he feels compelled to act like his colleagues.

2. Impersonation:

To help with this topic I asked my good friend Chris Hadnagy, author and CEO of Social-Engineer LLC, how he uses social proof in impersonation.  He said, “There was this one job where we needed to gain access to the C Level and some of the offices for the CEO, CFO etc.  I used a service industry pretext and when I approached the gate keeper I had on top of my clipboard signed work orders marked as ‘COMPLETE’ for many of the other C Level folks.  When she asked me how she could help, I would flip through the completed ones making sure she could see them as I slowly turned and when I got to her boss’s name, I would say, ‘I just need a few minutes to take care of the service in his office.’ It worked like a charm, it was easier for her to accept letting me in since all of her fellow gate keepers already said ‘yes’.  This is just one of dozens of times I have used this principle to breach an organization.”

How to protect yourself

The first thing to understand about social proof is that for it to work your brain has to be in “autopilot” mode. The best protection is to turn autopilot off in situations where you can’t afford to be vulnerable. Sadly, this isn’t a button you can press it takes time to master. An effective strategy is to pause. Take a break from the situation you are in. Pausing gives you time to think and assess the situation consciously. Turning off autopilot in the process.

“Maybe I’ll ask if other staff have done this survey”;

“Maybe I will ask that suspicious looking blonde women why she appears to be picking the lock on that server room”;

“Maybe I will stop and consider the impact of throwing this Molotov cocktail”.

Program your brain

Start to program your brain to recognise things and words that should act as “triggers” for your mental alarms to be set off. These are signs that autopilot needs to be disengaged and more mental processing power needs to be diverted to make this decision.

In a time of fake news and social media it is more important than ever that we don’t just “follow the crowd” online by proliferating and adding credibility to fake news stories. A social media mob mentality exists too. Trolling and abusive online behaviour often takes the form of a “mob”. Groups of people targeting one person, collectively growing in inappropriateness and aggressiveness. The same principles apply to online mobs as they do the people burning cars on the streets of Paris and the office workers following their colleagues. Pause. Think. Do you really want to do this?

We have to think for ourselves especially in situations where our actions impact others or compromise the security of our company.

So next time you feel like following the crowd stop and think are you following them to safety or self-destruction?

Buy Chris Hadnagy's latest book - The Science of Human Hacking: https://www.amazon.co.uk/Social-Engineering-Science-Human-Hacking/dp/111943338X/

Posted in Social Engineering.