Despite the recent advances in cybersecurity defence, humans remain a critical and vulnerable weak link in the chain. While tools can now catch many malicious emails, links, and attack attempts, they often miss the cleverly-designed campaigns that prey on human emotion and psychology.
Now more than ever, organisations and security analysts must consider the psychology behind these attacks. Only by understanding how criminals trick users can they work to close the security gap and reduce the risk of users falling for the trap.
The weakest link: The human brain
In an era where hackers continually look for new ways to penetrate systems and accounts, password security remains one of the greatest vulnerabilities. Passwords are a leading contributor to successful attacks, and 80 per cent of hacking-related breaches involved compromised or weak credentials, according to the Data Breach Investigations Report by Verizon.
Organisations are looking to password managers, password generators, and strict new policies to reduce the risk of a breach. They’re also implementing multifactor authentication in many logins to add another level of protection in the event a password is compromised.
Yet regardless of what tools we use to protect passwords or how often we change them, it’s of little help if the human users fall for schemes and voluntarily give up information. As today’s phishing campaigns prey upon human vulnerabilities and cleverly manipulate basic human psychology, it can even make smart people do dumb things. Cybersecurity professionals must take a closer look at cognitive science and understand how the brain and its processes can influence behaviour.
The Jedi mind tricks employed by social engineering scammers
Recent research demonstrates some of the subtle cognitive psychological techniques in action and how raising awareness of these methods can better protect users from being victimised.
Most of these psychological tactics are enabled by social engineering, a strategy whereby the hacker uses information to pose as a trusted source. From there, they gain the confidence of victims and get them to willingly hand over their credentials, fill out a form, or pay an invoice.
Scams that exploit human emotions have been around for decades. As early as the 1930s, chain letter scams convinced people to make copies of letters, pass them on to others and ask for money. In the 1980s, romance scams preyed on lonely men and convinced them to give up hundreds or thousands of dollars. And by the time email went mainstream in the 1990s, “419 scams” duped countless people to give up sensitive information in the hops they’d receive a windfall from a Nigerian prince.
Few people fall for such scam nowadays, but criminals have since moved on to create such highly-believable campaigns that even trained professionals cannot identify them.
There are several common persuasion techniques they employ, and they can target basic human emotions such as the desire to please, empathy, sympathy, or fear. One of the most common is a business email compromise attack (BEC) where “perceived authority” is used to dupe users into acting quickly. These attacks often appear to come from superiors and ask people in accounting or other departments to fill out a form, pay an invoice, or transfer funds via wire.
Criminals are also targeting people at higher levels. The Democratic National Committee leaks started in March 2016 when John Podesta, former White House Chief of Staff and Chair of Hillary Clinton’s presidential campaign, followed a phony Google security alert and entered his login credentials via a spoofed login page. And New York Times columnist Paul Krugman tweeted in early-January 2020 that he had nearly fallen victim to a phishing scam when a computer security service notified him that is IP address had been compromised for nefarious activities.
Cognitive tricks: Inattentive blindness & visual similarity
In addition to psychological operations tactics that aim to manipulate behaviour, criminals also use visual cognitive tricks to fool people. Many of these attacks can be concealed as legitimate looking login requests from established companies, vendors, or trusted parties.
A report by Webroot Security noted a 400 per cent increase in new phishing websites in 2019. Many of these sites only come online for four to eight hours on average and mimic trusted brands such as Microsoft, PayPal, HSBC Holdings, Adobe and Wells Fargo. Our own study found that nearly a quarter of malicious emails now include links to active phishing sites.
These emails are designed to focus victims’ attention elsewhere so they don’t pick up on the fine details. Hackers employ the phenomena of “inattentive blindness” that lure victims with Visually Similar websites that are designed to closely resemble a legitimate website in order to harvest a user’s credentials. With inattentional blindness, an individual fails to perceive an unexpected change in plain sight. While the phenomena was first identified in the early 1990s, it came back into light in 2012 when a video posted online asked how many white shirted players passed a ball. Viewers were so focused on counting the white shirts that half of them failed to recognise the woman in the gorilla suit in the middle of the picture.
When a user is so focused on what they’re looking for, or on certain elements of an email or page, they can often fail to miss the more obvious cues that the site or email is fraudulent. Attackers are constantly trying to make phishing websites similar enough to make a human think it’s legit while making it just different enough to bypass security tools that rely on signature matching technologies. Of the nearly 6,000 phishing websites we identified, each had a visual or verbal flaw that wasn’t recognised by conventional antivirus technologies.
Other attacks are also using timers to create a sense of urgency. While timers are sometimes used in legitimate sites that deal with purchasing or sensitive information, they can also make victims respond more promptly and overlook the more obvious signs that a page is phony.
One thing that’s for sure is that attackers won’t stop innovating, and we can never be sure exactly which psychological tactic they may employ next. As humans will always be the weakest link in the security equation, it is critical that security teams consider the quirks of the human psyche so that we may better understand how they are exploited.
Ian Baxter, Vice-President of Pre-Sales Engineering, IRONSCALES