Peter Hall
May 17 2024
Due to the rapid evolution of online technologies, it is critical that cybersecurity awareness for individuals and organisations is improved and treated like essential knowledge. Organisations and people who are not aware of the risks involved with the online world are more likely to be tricked and compromised by attackers, which could lead to disastrous consequences.
This blog aims to explore how attackers can use human psychology for malicious purposes, and how we can educate ourselves and hopefully reduce the risk of being exploited.
Attackers exploit psychological vulnerabilities by leveraging social engineering techniques, such as phishing emails or pretexting calls, to manipulate human emotions and behaviours. They capitalise on factors like trust, curiosity, fear, or urgency to deceive users into disclosing sensitive information, clicking on malicious links, or downloading malware.
By crafting convincing scenarios that resonate with victims' psychological triggers, attackers can bypass technical security measures and gain unauthorised access to systems, steal credentials, or execute other malicious activities, exploiting the innate human inclination to trust and respond to social cues.
Often ‘vishing’ is an attack utilised which involves making a phone call to a victim impersonating someone to either make them provide sensitive information or perform actions that an attacker requires for further exploitation. A study by Agari and PhishLabs found that there was an increase of five-times for attempted vishing attacks between 2021 and 2022.
Due to the clear increase in social engineering-based attacks it is crucial that organisations and the public are aware of tactics attackers may employ to be successful. By educating people on these tactics, it may reduce the likelihood of successful attacks, especially against those who may be more vulnerable such as non-technically literate people.
Human emotions can be manipulated and are often targeted by attackers, especially when performing phishing or other social engineering attacks. Attackers may use the following techniques to increase the likelihood of a successful attack:
A real-world example of a phishing attack which exploited users’ emotions was in 2020 against the Spectrum Health System. Attackers were successful in recovering the personal information, access to personal devices, and in some cases money from users of the service by using a combination of intimidation and flattery.
To help identify and thwart social engineering attempts observe the following tips:
When performing phishing attacks adversaries will exploit psychological triggers such as curiosity, fear, urgency and trust. Phishing emails will often play on people’s emotions for a response by using the following methods:
Despite the evasive methods attackers will use when performing phishing attacks, the following signs can help people to recognise these attempts:
While the above methods can be useful in spotting and avoiding falling for phishing attacks, the most effective method is regular training. By educating organisations and the public on the most common, and more sophisticated social engineering techniques this reduces the likelihood of a successful attack, helping to improve organisations and people’s cyber hygiene.
Effective employee training for cyber hygiene consists of the following crucial elements:
An example of a successful training initiative is Secarma’s simulated social engineering campaigns. Our security experts have previously performed one off, and regular simulated phishing engagements to help customers identify people within their organisations who may be more susceptible to phishing emails. With this service the users have been able to identify and provide further training for their employees most at risk, helping to reduce the risk of a compromise for the business via social engineering.
However, as organisations and the people within them often change, alongside ever evolving cyber threats, it is important to maintain and update education regarding the various threats that exist.
Cognitive biases exert significant influence on risk assessment and decision-making processes. Often individuals inadvertently have confirmation bias resulting in favouring information that confirms their preexisting beliefs and ignores contradictory evidence.
Availability bias prioritizes easily accessible or recent information over more relevant but less salient data. Anchoring bias fixates decision-makers on initial information, affecting subsequent judgments. These biases collectively distort risk assessments, potentially leading to underestimation of threats or overemphasis on certain risks, resulting in flawed decision outcomes.
These biases cannot be eliminated, but to recognise and mitigate their impact, several strategies can be utilised:
Countering cognitive biases by enabling individuals to recognize and acknowledge their existence is essential. People who are educated and trained on these biases can develop the ability to identify biases in their thinking processes and employ strategies to reduce their influence, which helps create more rational and objective decision-making.
Human psychology can be manipulated by attackers to increase the likelihood of their attacks being successful. Therefore, understanding how attackers will target the psyche of potential victims will help organisations and the public reduce the risk of being tricked into providing sensitive information, or placing themselves in a vulnerable position.
Therefore, it is recommended that organisations integrate human-centric approaches when creating security strategies. Carefully considering how people will react and respond to various training materials, as well as real world threats should be considered an essential part of any security strategy.
In conclusion fostering a culture of proactive defence with regular training, education, and ongoing awareness will help reduce the risks of organisations or the public being negatively affected by attackers looking to exploit the human psyche for their own nefarious purposes.