Cyber Security as a Behavioural Science: Part 5
Consider the following paradox. On the one hand, it is very difficult to get people's trust. People do not trust politicians, corporations, and sometimes even their own family members. Yet, on the other hand, people tend to trust complete strangers who send them phishing emails. Why is this the case? In the current environment, the majority of cyber breaches are either entirely based on social engineering or involve social engineering as a component of wider attacks. In fact, our analysis of cyber threats (previously published as a part of this blog) demonstrates that about 2/3 of all known cyber breaches involve some psychological component. So, why do we keep making the same mistakes over and over again? There are 5 main psychological reasons for this.
The problem is that any adversarial social engineering attack is based on 5 key components and we, as humans, are not dealing well with any of those components, simply because, psychologically, our minds are limited in processing them. These components are: Relevance, Time Pressure, Empathy, Plausibility, and Rationalizability.
1. Relevance: cybercriminals often engage in a wide social and traditional media topic hijacking. They pick the most relevant pieces of information, hot topics, important events and use these topics as baits in their attacks. Let's consider the following example. Imagine that you see the following new items online (I have used actual news titles from today's online news) - which one of the two links are you most likely to click on?
I am willing to bet, that unless you are a real art-lover, you will opt for A over B (even if you are really tired of COVID19 news right now). Why is that? That is because COVID19 news are just a lot more relevant and important to you right now than art news. You are much more likely to get a phishing email with the term "COVID19" than with the term "18th century portraits" in the title, because it is simply a lot more probable that you will click on and open an email if you believe that it contains information about COVID. This appeals to our "Salience bias" (or, so-called, perceptual salience) - a cognitive bias that "predisposes individuals to focus on items that are more prominent or emotionally striking and ignore those that are unremarkable, even though this difference is often irrelevant by objective standards".
2. Time Pressure: humans are not great at making decisions in highly dynamic environments when they experience time pressure. If you have ever taken exams at school, college or university, you will understand what I mean. Time pressure makes many great students make strange mistakes - mistakes, they would not have made had they not faced a time limit. This trick (i.e., nudging us towards making quick, suboptimal, impulsive decisions) is also often used by many corporate marketing teams. "Limited time offer", "hurry while discounts last", etc., etc. - all these statements are designed to appeal not only to our time-related anxieties, but also to social anxieties such as the fear of missing out (i.e., fear that others might take advantage of the opportunities, while we fail to do so).
3. Empathy: phishing emails are often designed to make the potential victim empathise or connect psychologically. To do this, the trick adversaries are often using is providing some context to the situation. Consider, for example, the following two images:
Both images depict the same situation: mother and child in distress, being upset. However, image B makes the majority of people empathise a lot more than image A. Why is that? The reason is very simple - in case A we see that the child is upset but we do not know what caused this situation. The child could be upset, because something bad and significant happened, but he also could be upset for no good reason. At the same time, in case B, we understand that the image describes the divorce. Hence, we can appreciate the challenges the mother and child are facing a lot better and we care a lot more. So, no wonder that many people reply to fake appeals for help when a fictional person in distress provides a significant amount of context and detail about their situation (a technique many cybercriminals have mastered to perfection).
4. Plausibility: in many instances successful cyber attacks do not involve sophisticated programming. They use very basic programming, yet, perfected to every little detail. For example, it does not take much time to replicate an interface of your HR department website or even an interface of, say, PayPal. The goal of cybercriminals is not to reach sophistication in the technical execution of the attack, but to reach sophistication in mimicking authenticity. If they can trick you into believing that you are dealing with an authentic entity or actor, their job is, essentially, done. We, as humans, are not very attentive. We take many things for granted, especially if we do something habitually. Therefore, it is very easy to mislead us by pretending to be someone credible. For example, recently, the name and reputation of Martin Lewis, who founded consumer website MoneySavingExpert.com, was used by cyber adversaries to create fake financial advice ads on Facebook, which costed many thousands of pounds to unsuspecting citizens. It did not take much technical expertise to produce those ads, yet, they created much financial harm for the victims and significant reputational damages for Martin Lewis, who eventually sued Facebook for defamation.
5. Rationalizability: finally, cybercriminals often follow a very logical procedure or describe a logical process to the victims. For example, they explain that unless the victim takes an immediate action, (s)he will suffer financial loss, miss out on an opportunity, etc.; or, alternatively, unless the victim helps a fictitious person in need, this person will find him or herself in financial hardship, in trouble, etc. Again, rationalizability appeals to human psychology as it helps establish credibility: i.e., "if it is logical, it must be true".
Cybercriminals masterfully use human psychological traits and behavioural biases in their social engineering attacks. Relevance, Time Pressure, Empathy, Plausibility, and Rationalizability are 5 major tools used by adversaries to trick us into believing them. While there is not much we can do about our psychology, we still can prevent attacks by becoming more aware of our biases.