Peter Hall
May 17 2024
Due to the rapid evolution of online technologies, it is critical that cybersecurity awareness for individuals and organisations is improved and treated like essential knowledge. Organisations and people who are not aware of the risks involved with the online world are more likely to be tricked and compromised by attackers, which could lead to disastrous consequences.
This blog aims to explore how attackers can use human psychology for malicious purposes, and how we can educate ourselves and hopefully reduce the risk of being exploited.
The Human Element in Cyber Threats
Attackers exploit psychological vulnerabilities by leveraging social engineering techniques, such as phishing emails or pretexting calls, to manipulate human emotions and behaviours. They capitalise on factors like trust, curiosity, fear, or urgency to deceive users into disclosing sensitive information, clicking on malicious links, or downloading malware.
By crafting convincing scenarios that resonate with victims' psychological triggers, attackers can bypass technical security measures and gain unauthorised access to systems, steal credentials, or execute other malicious activities, exploiting the innate human inclination to trust and respond to social cues.
Often ‘vishing’ is an attack utilised which involves making a phone call to a victim impersonating someone to either make them provide sensitive information or perform actions that an attacker requires for further exploitation. A study by Agari and PhishLabs found that there was an increase of five-times for attempted vishing attacks between 2021 and 2022.
Due to the clear increase in social engineering-based attacks it is crucial that organisations and the public are aware of tactics attackers may employ to be successful. By educating people on these tactics, it may reduce the likelihood of successful attacks, especially against those who may be more vulnerable such as non-technically literate people.
Social Engineering and the Mind Games
Human emotions can be manipulated and are often targeted by attackers, especially when performing phishing or other social engineering attacks. Attackers may use the following techniques to increase the likelihood of a successful attack:
- Create a sense of emergency and or urgency, such as your ‘bank’ has detected suspicious activity on your account.
- Exploiting empathy, for example pretending to be a charity for animals or underprivileged people or using sound effects to sound like they are in a stressful situation, such as a baby crying in the background.
- Create an offer that is too good to be true, such as cheap electronics or holidays.
A real-world example of a phishing attack which exploited users’ emotions was in 2020 against the Spectrum Health System. Attackers were successful in recovering the personal information, access to personal devices, and in some cases money from users of the service by using a combination of intimidation and flattery.
To help identify and thwart social engineering attempts observe the following tips:
- Be sceptical: Unexpected requests for sensitive information or urgent actions are likely social engineering attempts.
- Verify: Always confirm the identity of the requester by contacting them directly, i.e. if someone claims to be from your bank, call your bank directly to confirm.
- Check URLs: If being asked to click a link thoroughly check the URL and make sure it matches the legitimate domain, for example an attacker may want you to visit ‘facebo0k.com’ rather than ‘facebook.com’.
- Educate yourself: Stay up to date with the latest news regarding cyber security and social engineering. This will help with maintaining best practices and understanding the latest threats.
- Report suspicious activity: If you suspect a social engineering attempt report this to your organisation, or the relevant party i.e. your bank.
- Trust your instincts: If something feels wrong, it probably is.
- Use security awareness training: Regular security awareness training educates employees about threats and how to recognise and respond to them correctly.
Phishing Awareness and Human Vulnerability
When performing phishing attacks adversaries will exploit psychological triggers such as curiosity, fear, urgency and trust. Phishing emails will often play on people’s emotions for a response by using the following methods:
- Intriguing subject lines to attract attention.
- Set a tone of urgency by pretending to be something that must be actioned immediately.
- Use well-known organisations logos and styles to try and gain the victim’s trust.
- Exploit people’s empathy by pretending to be someone in need or a charity.
Despite the evasive methods attackers will use when performing phishing attacks, the following signs can help people to recognise these attempts:
- Being asked to click on a URL.
- Checking any links URL (without clicking it) to see if it is resolves to where you expect.
- Check the senders email address, e.g. someone claiming to be from Facebook may have an email like ‘joe.bloggs@facebo0k.com’, which at a quick glance can look legitimate.
- Requesting personal / sensitive information.
- Unexpected emails, for example a ‘missed delivery’, when nothing has been ordered.
- Poor grammar and spelling.
- Urgent and threatening messages, such as “Your account will be closed if this is not actioned”.
- Unexpected attachments, attackers attempting to send malware will attach the malicious files to the emails.
- Verify with the company, e.g. if you receive an email claiming to be your bank check with your bank directly.
While the above methods can be useful in spotting and avoiding falling for phishing attacks, the most effective method is regular training. By educating organisations and the public on the most common, and more sophisticated social engineering techniques this reduces the likelihood of a successful attack, helping to improve organisations and people’s cyber hygiene.
Employee Training for Cyber Hygiene
Effective employee training for cyber hygiene consists of the following crucial elements:
- Comprehensive content: Many topics need to be covered ranging from phishing awareness, password security, data protection and safe browsing practices. This will help to provide a broad understanding of various cyber threats.
- Engagement and interactivity: Rather than lecturing people on best practices, providing a way to engage with the educational content such as quizzes, real-world scenarios, and simulations provide more engagement and better retention of information.
- Customisable: Ensuring the content is tailored to the needs of the organisation / person will improve the relevance and effectiveness of the course.
- Regularly updated: As the cyber world is ever evolving so should the educational content to keep up to date with the latest threats and developments.
- Clear policies and procedures: Policies and procedures need to be clear and concise so those which follow them understand them fully, as well making content easier to learn.
- Management support and involvement: When leadership for organisations are involved in the training this helps to set a tone of importance and relevance for all other people within the organisation.
- Measurable goals and metrics: Establishing clear goals and metrics makes it easier for organisations to track how effective the training programs are and identify areas which need improvement.
- Continuous education: Implementing ongoing training as well as reinforcement activities ensures cybersecurity remains a priority and employees remain vigilant against new threats.
An example of a successful training initiative is Secarma’s simulated social engineering campaigns. Our security experts have previously performed one off, and regular simulated phishing engagements to help customers identify people within their organisations who may be more susceptible to phishing emails. With this service the users have been able to identify and provide further training for their employees most at risk, helping to reduce the risk of a compromise for the business via social engineering.
However, as organisations and the people within them often change, alongside ever evolving cyber threats, it is important to maintain and update education regarding the various threats that exist.
Cognitive Biases and Decision-Making in Cybersecurity
Cognitive biases exert significant influence on risk assessment and decision-making processes. Often individuals inadvertently have confirmation bias resulting in favouring information that confirms their preexisting beliefs and ignores contradictory evidence.
Availability bias prioritizes easily accessible or recent information over more relevant but less salient data. Anchoring bias fixates decision-makers on initial information, affecting subsequent judgments. These biases collectively distort risk assessments, potentially leading to underestimation of threats or overemphasis on certain risks, resulting in flawed decision outcomes.
These biases cannot be eliminated, but to recognise and mitigate their impact, several strategies can be utilised:
- Implementing decision-making frameworks, such as structured decision analysis, helps counter confirmation bias by systematically evaluating evidence.
- Encouraging diverse perspectives and independent review processes can mitigate biases like groupthink and confirmation bias.
- Utilising data-driven approaches and considering multiple scenarios reduces reliance on availability bias.
- Training and awareness programs raise consciousness of biases, enabling individuals to recognise and counteract their influence in decision-making processes.
Countering cognitive biases by enabling individuals to recognize and acknowledge their existence is essential. People who are educated and trained on these biases can develop the ability to identify biases in their thinking processes and employ strategies to reduce their influence, which helps create more rational and objective decision-making.
Conclusion
Human psychology can be manipulated by attackers to increase the likelihood of their attacks being successful. Therefore, understanding how attackers will target the psyche of potential victims will help organisations and the public reduce the risk of being tricked into providing sensitive information, or placing themselves in a vulnerable position.
Therefore, it is recommended that organisations integrate human-centric approaches when creating security strategies. Carefully considering how people will react and respond to various training materials, as well as real world threats should be considered an essential part of any security strategy.
In conclusion fostering a culture of proactive defence with regular training, education, and ongoing awareness will help reduce the risks of organisations or the public being negatively affected by attackers looking to exploit the human psyche for their own nefarious purposes.